As part of a guest access project I have rolled out a Clean Access Server. So when a consultant comes in and needs Internet access she can get it by first logging on the NAC appliance and then is forced into the guest VLAN.
So now I need to create a Access List that will:
- Allow the machine to get DHCP information
- Allow DNS lookups against internal DNS Server
- Allow access to http and https pages OUTSIDE the company
- Deny everything else
Pretty simple right? So I created an access called guest_access_OUT:
10 permit udp any eq domain any (68 matches)
20 permit udp any any eq bootpc (1 match)
30 permit udp any any eq bootps (7 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (785 matches)
50 deny ip any 192.168.0.0 0.0.255.255
60 deny ip any 172.31.0.0 0.0.255.255
70 deny ip any 172.16.0.0 0.0.255.255
80 permit tcp any any eq www
90 permit tcp any any eq 443
100 deny ip any any log
This is being applied to outbound traffic on the VLAN interface on the 4507 core switch. Users in this VLAN are on the 10.1.38.x network. So far I can get DNS and DHCP to work but I cant seem get the http/https internal/external piece to work. I am seeing this in the core switch:
list guest_access_OUT denied tcp 126.96.36.199(80) -> 10.1.38.100(1174), 4 packets
So the first packet is making it out but return traffic is being blocked. I put an allow all type inbound access list on the VLAN interface but did not help. I also tried adding the tcp established but that allowed access to the internal websites as well.
I know I am doing something very silly wrong, but I have been looking at this too long and need a third eye for help.
That did it Jon! I thank you, and the case of whisky is on the way!
Glad to have helped
Thank you very much for taking time to explain this. This is big.
OK so I have done as you said and changed the direction of the ACL on the core switch:
ip access-group guest_access_OUT in
And here is the complete ACL now:
Extended IP access list guest_access_OUT
10 permit udp any any eq domain log (3 matches)
20 permit udp any any eq bootpc log
30 permit udp any any eq bootps log (3 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
50 deny ip any 192.168.0.0 0.0.255.255 log
60 deny ip any 172.31.0.0 0.0.255.255 log
70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
80 permit tcp any eq www any log
90 permit tcp any any eq 443 log
100 deny ip any any log (40 matches
And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:
list guest_access_OUT denied tcp 10.1.38.100(2363) -> 188.8.131.52(80), 1 packet
I am trying to keep this as simple as possible until I understand how this really works.
You need to change line 80 back to what it was originally ie.
80 permit tcp any any eq www