How do I isolate one workstation on a LAN

Unanswered Question

The goal:

We have Windows XP workstation that we want to isolate from our entire LAN and our Internet gateway (outbound) with the exception of one server (inbound) This server simply needs to map a drive letter to a fileshare on the XP client, copy a flat file export from the XP client once a day, and close the fileshare back up when done.


The Environment


The Server side of the equation:

Cisco Catalyst 6509 in hybrid mode

CatOS v6.3(7)and

IOS 12.1(13)E on the MSFC2 (sup1a)

VTP v2 Server

802.1q is enabled on all trunks to our 2950's in edge closets.


HP Proliant G4 with HP nic teaming driver. This server has a static up of 10.10.5.35 and it's ports are members of our "VLAN 10" (10.10.x.x/16)


The Client Side of the equation:

Catalyst 2950C-24

running IOS 12.1(9)EA1

VTP v2 Client

Connected to the Catalyst 6509 above with one 100FX trunk 802.1q enabled


Intel P4 clone running Windows XP Pro SP2

Generic 10/100 NIC driver with no 802.1q support. It's connected to a switchport with static access to our "VLAN 70" (10.70.x.x/16)


What would be the best way to design this to meet the goal at the top?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 10/07/2007 - 01:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Paul


The simplest way to do this is just to create a new vlan purely for the XP client and then use L3 acls to lock down the traffic.


eg server address 192.168.5.1.

client address 192.168.10.1


access-list 101 permit ip host 192.168.5.1 host 192.168.10.1

access-list 101 deny ip any any


access-list 102 permit ip host 192.168.10.1 host 192.168.5.1

access-list 102 deny ip any any


int vlan 80 (new vlan fro XP client)

ip access-group 101 out

ip access-group 102 in


HTH


Jon

Thanks for the reply Jon.


Unfortunately, I now seem to have a basic lack of understanding on how to route between those 2 vlans.


Keeping with my example, forgetting about ACL's for the moment since I can't seem to even establish basic IP connectivity between my 2 hosts, this is my setup so far.


2003 Server host

10.10.5.35 - host IP address

255.255.0.0 - subnet mask

10.10.4.1 - default gateway

Catalyst port(s) are members of VLAN 10 (10.10.0.0/16)


Server network ip routing environment:


Catalyst 6509 - CatOS side

core-switch> (enable) show ip route

Fragmentation Redirect Unreachable

------------- -------- -----------

enabled enabled enabled


The primary gateway: 10.30.1.1

Destination Gateway RouteMask Flags Use Interface

--------------- --------------- ---------- ----- -------- ---------

default 10.30.1.1 0x0 UG 122588 sc0

10.30.1.0 10.30.1.10 0xffffff00 U 160 sc0

default default 0xff000000 UH 0 sl0


Catalyst 6509 - IOS side


core-router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route


Gateway of last resort is 192.168.1.1 to network 0.0.0.0


10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

C 10.10.0.0/16 is directly connected, Vlan10

S 10.15.0.0/16 [1/0] via 192.168.1.1

C 10.30.7.0/24 is directly connected, Vlan7

C 10.30.1.0/24 is directly connected, Vlan1

C 10.30.9.0/24 is directly connected, Vlan9

C 10.70.0.0/16 is directly connected, Vlan70

S 209.53.119.0/24 [1/0] via 192.168.1.1

C 192.168.1.0/24 is directly connected, Vlan99

S* 0.0.0.0/0 [1/0] via 192.168.1.1


XP client host

10.70.1.101 - host IP address

255.255.0.0 - subnet mask

10.70.1.1 - default gateway

Switchport access VLAN 70 (10.70.0.0/16)


Client network ip environment


Catalyst 2509C


The trunk interface to our Catalyst 6509 above:

interface FastEthernet0/25

switchport trunk allowed vlan 1,10,70,1002-1005

switchport mode trunk

no ip address


The switchport the XP client is connected to

interface FastEthernet0/1

switchport access vlan 70

switchport mode access

no ip address

spanning-tree portfast


From the XP client I can ping the default gateway for VLAN 70 @ 10.70.1.1 but I can NOT ping the server @ 10.10.5.35.


From the Server I can also ping the default gateway at 10.70.1.1 but not the host at 10.70.1.101.

I'm assuming this is a basic routing problem between VLAN 70 and VLAN 10 or vice versa.


From the "core router" on the 6509 (telneted into 10.30.1.1) I can also ping 10.70.1.1 but neither of the hosts 10.10.5.35 nor 10.70.1.101.


What am I doing wrong? What am I missing here?

Jon Marshall Sun, 10/07/2007 - 12:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Paul


Are you pinging from the MSFC to the client and the server ?


Can you check if you have any firewalls running on the client and the server that could be blocking incoming icmp requests.


Jon

What I did was ping from the MSFC router (in a telnet session from another workstation in VLAN 10) to both server and client which fails.


I just tried this from the switch console and I can ping the client and it's net gateway but not the server?


I did disable the XP firewall on the client while testing both times. I also verified that ICS service and the Windows firewall were disabled on the 2003 server. There are no other 3rd party firewalls installed on either server or client.

Routing problem resolved. I had been messing about with the HP network config utility on the 2003 server and inadvertantly ended up setting it upto use DHCP instead of it's normal static IP address of 10.10.5.35.


I can now ping both server and client from either direction and from both the 6509 console or the msfc. :)

Jon Marshall Sun, 10/07/2007 - 23:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No problem Paul.


Did you try to setup with new vlan after all this ?


Jon

I think I spoke to soon about this being resolved. It is true that I can ping in all directions from either the server, client, or MSFC now, HOWEVER, I cannot map a file share?


Keep in mind I'm using peer-to-peer networking principles as I've put this XP client workstation into a workgroup named "PTFC". "PTFC" is also the name of our AD domain that this 2003 server is a member of.


I've tried this from a command prompt on the 2003 server in VLAN 10 and got this error:


C:\>net use k: \\10.70.1.101\fileoutput pw6394!z /user:forteshare

System error 53 has occurred.


The network path was not found.


Then I tried it from the gui, i.e. right-clicked on the 'My Computer' icon selecting 'map network drive' and I get this error pop-up:


"The network path \\10.70.1.101\fileoutput cannot be found."


My thinking is that this might be Microsoft NBT name resolution issue with either WINS, NetBIOS, or DNS. If so, do I need to enable an 'IP Helper' on each switch and/or setup browsers, WINS, or DNS servers in VLAN 70?

If I disable the Windows XP firewall drive mapping from the 2003 server to this workstation works just fine. I do have 'File and Printer Sharing' in the XP firewall exception list but apparently that doesn't open up all the right ports.


(I'm just putting all this down in case it helps someone else even more challenged than I - lol)

onurcoskun Mon, 10/08/2007 - 00:53
User Badges:

Hi Paul, my solution is as follows;


Within your already configured VLAN you can apply a VACL without having to introduce another subnet or VLAN for a host device only.


VLAN 10 IP: 192.168.1.0 255.255.255.0

Host IP: 192.168.1.10 255.255.255.0

Server IP: 192.168.1.15 255.255.255.0


First define the ip traffic you want to have control over on the switch:


Switch(config)#ip access-list extented acl1

-acl)#permit ip host 192.168.1.10 host 192.168.1.15

#exit


Switch(config)#ip access-list extented acl2

-acl)#permit ip host 192.168.1.10 192.168.1.0 0.0.0.255

#exit



Then define the VLAN on which you need to filter traffic:


Switch(config)#vlan access-map vacl1 10

access-map)#match ip address acl1

#action forward


Switch(config)#vlan access-map vacl1 20

access-map)#match ip address acl2

#action drop


To allow any different traffic:

Switch(config)#vlan access-map vacl1 30

#action forward

#exit


Switch(config)#vlan filter vacl1 vlan-list 10



Kind regards.




jacobss914 Mon, 10/08/2007 - 02:34
User Badges:

What does this workstation do?


Since you are initiating a file-share on a Windows server and that is all you want, why not limit it to a set of ports, or better yet create an sftp, ftp, or even webdav site and lock you ACLs down a bit more. By saying allow all IP between client and server, you are allowing ALL IP traffic, that includes TCP, and UDP. While it might meet your requirement of file sharing it also allows access to all open ports on that server.


So a typical 2003 install with HP would look something like this.


TCP 80 - ISS installed cause of HP management suite

135 MS RPC

139 Netbios

445 SMB

1045 fpitp

1067 Installation Bootstrap Service Installation Bootstrap protocol server

2301 Insight Web agents

2381 HP Management HTTPS

3389 Terminal Server Port


Some of these ports have widely know exploits, that could be leveraged against the server. BTW, if you gain access to the server, it really does not matter what restrictions I have on the PC, the server will be the step off point to the rest of your network.


So I would do these two things.


Vlan the xp box out, into a restricted IP range, keep it as tight a you can with only a small number of extra IP addresses. And not your current /24 subnet.


An in and out access list, but limit the ACL only to the port assignments you need to do the function. Yes it is a little harder todo, but in the long run you will get more sleep.


Depending on who initiates the file transfers - I would recommend the server. You can really tighten down the ACL on the PC side and the server side could end up with a two line ACL. First line permit second line deny IP any any.

Jon Marshall Mon, 10/08/2007 - 03:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


yes you are right in that the acl should be tied down but then once you open up the file sharing ports it's debatable as to how secure you can really make it with an acl. That's why it's best to put the XP machine on it's own subnet.


Ideally, both the client and the server should only be running services that are actually needed.


Jon

This workstation collects data from serial devices that monitor our production line.

It monitors quality control and keeps inventory of units produced. All of this data gets exported into a flat text file that we want to copy once a day to a common file share point which is mapped for our office users to a drive letter with a login script.


Your point about tightening up the ACL to needed ports is well taken.

Actions

This Discussion