VLAN Access List

Answered Question
Dec 8th, 2009
User Badges:

Hello,


As part of a guest access project I have rolled out a Clean Access Server. So when a consultant comes in and needs Internet access she can get it by first logging on the NAC appliance and then is forced into the guest VLAN.


So now I need to create a Access List that will:


  • Allow the machine to get DHCP information
  • Allow DNS lookups against internal DNS Server
  • Allow access to http and https pages OUTSIDE the company
  • Deny everything else


Pretty simple right? So I created an access called guest_access_OUT:


    10 permit udp any eq domain any (68 matches)
    20 permit udp any any eq bootpc (1 match)
    30 permit udp any any eq bootps (7 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (785 matches)
    50 deny ip any 192.168.0.0 0.0.255.255
    60 deny ip any 172.31.0.0 0.0.255.255
    70 deny ip any 172.16.0.0 0.0.255.255
    80 permit tcp any any eq www
    90 permit tcp any any eq 443
    100 deny ip any any log


This is being applied to outbound traffic on the VLAN interface on the 4507 core switch. Users in this VLAN are on the 10.1.38.x network. So far I can get DNS and DHCP to work but I cant seem get the http/https internal/external piece to work. I am seeing this in the core switch:


list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets


So the first packet is making it out but return traffic is being blocked. I put an allow all type inbound access list on the VLAN interface but did not help. I also tried adding the tcp established but that allowed access to the internal websites as well.


I know I am doing something very silly wrong, but I have been looking at this too long and need a third eye for help.


Thanks,


Pedro

Correct Answer by Jon Marshall about 7 years 7 months ago

pener1963 wrote:


That did it Jon! I thank you, and the case of whisky is on the way!


Pedro


Pedro


Glad to have helped


Jon

Correct Answer by Jon Marshall about 7 years 7 months ago

pener1963 wrote:


Jon,


Thank you very much for taking time to explain this. This is big.


OK so I have done as you said and changed the direction of the ACL on the core switch:


ip access-group guest_access_OUT in


And here is the complete ACL now:


Extended IP access list guest_access_OUT
    10 permit udp any any eq domain log (3 matches)
    20 permit udp any any eq bootpc log
    30 permit udp any any eq bootps log (3 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
    50 deny ip any 192.168.0.0 0.0.255.255 log
    60 deny ip any 172.31.0.0 0.0.255.255 log
    70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443 log
    100 deny ip any any log (40 matches



And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:


list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet


I am trying to keep this as simple as possible until I understand how this really works.


Pedro


You need to change line 80 back to what it was originally ie.


80 permit tcp any any eq www


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
pener1963 Tue, 12/08/2009 - 05:55
User Badges:

OK the plot thickens a little. I am getting this on the edge fiewall at the same time I am trying to access Google from the guest VLAN:


No matching connection for ICMP error message: icmp src inside:10.1.1.1 dst outside 74.125.93.147 (type 3, code 13) on inside interface. Original IP payload: tcp src 74.125.93.147/80 dst 10.1.38.100/1179


Not too sure if this is part of the problem or not.

Jon Marshall Tue, 12/08/2009 - 06:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pener1963 wrote:


Hello,


As part of a guest access project I have rolled out a Clean Access Server. So when a consultant comes in and needs Internet access she can get it by first logging on the NAC appliance and then is forced into the guest VLAN.


So now I need to create a Access List that will:


  • Allow the machine to get DHCP information
  • Allow DNS lookups against internal DNS Server
  • Allow access to http and https pages OUTSIDE the company
  • Deny everything else


Pretty simple right? So I created an access called guest_access_OUT:


    10 permit udp any eq domain any (68 matches)
    20 permit udp any any eq bootpc (1 match)
    30 permit udp any any eq bootps (7 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (785 matches)
    50 deny ip any 192.168.0.0 0.0.255.255
    60 deny ip any 172.31.0.0 0.0.255.255
    70 deny ip any 172.16.0.0 0.0.255.255
    80 permit tcp any any eq www
    90 permit tcp any any eq 443
    100 deny ip any any log


This is being applied to outbound traffic on the VLAN interface on the 4507 core switch. Users in this VLAN are on the 10.1.38.x network. So far I can get DNS and DHCP to work but I cant seem get the http/https internal/external piece to work. I am seeing this in the core switch:


list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets


So the first packet is making it out but return traffic is being blocked. I put an allow all type inbound access list on the VLAN interface but did not help. I also tried adding the tcp established but that allowed access to the internal websites as well.


I know I am doing something very silly wrong, but I have been looking at this too long and need a third eye for help.


Thanks,


Pedro


Pedro


Outbound on a vlan means traffic going to clients on that vlan. So you have this message


list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets


and your acl line for www is


 80 permit tcp any any eq www


but because you have applied it outbound on the vlan interface it's not matching that line ie. src port is 80 in the traffic but your acl line is matching traffic with a destination port of 80


so change the line to


80 permit tcp any eq www any


Jon

pener1963 Tue, 12/08/2009 - 07:01
User Badges:

Jon,


Thanks for the input, but that is still not working for me. The problem I think is in line 40


Extended IP access list guest_access_OUT
    10 permit udp any eq domain any (72 matches)
    20 permit udp any any eq bootpc (1 match)
    30 permit udp any any eq bootps (10 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (1066 matches)
    50 deny ip any 192.168.0.0 0.0.255.255
    60 deny ip any 172.31.0.0 0.0.255.255
    70 deny ip any 172.16.0.0 0.0.255.255
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443
    100 deny ip any any log


That is incrementing as I try to hit exterior web sites. I know I can get things to work if I put line 80 above line 40, but then my requirement of not allowing internal website access to guests is nixed.


But there has to be a way....right?

Jon Marshall Tue, 12/08/2009 - 07:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pener1963 wrote:


Jon,


Thanks for the input, but that is still not working for me. The problem I think is in line 40


Extended IP access list guest_access_OUT
    10 permit udp any eq domain any (72 matches)
    20 permit udp any any eq bootpc (1 match)
    30 permit udp any any eq bootps (10 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (1066 matches)
    50 deny ip any 192.168.0.0 0.0.255.255
    60 deny ip any 172.31.0.0 0.0.255.255
    70 deny ip any 172.16.0.0 0.0.255.255
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443
    100 deny ip any any log


That is incrementing as I try to hit exterior web sites. I know I can get things to work if I put line 80 above line 40, but then my requirement of not allowing internal website access to guests is nixed.


But there has to be a way....right?


Line 40 will block all ip  traffic other than what is allowed in lines 10, 20 ,30. Not exactly sure what you are trying to achieve with that line. Remember if this acl is applied outbound on the vlan for the guest users then it affects traffic going to the guest users not traffic coming from the guest users. Basically line 40 is a "deny ip any any".


I think the problem is that you have written this acl as though it would be applied inbound on the guest vlan interface but you have applied it outbound ie.


line 40 inbound would stop any of the guest users accessing any 10.0.0.0/24 machine on any port/protocol other than what you have allowed in the previous 3 lines. I'm guessing this is what you want.


So either


1) change the direction of the acl

2) rewrite the acl bearing in mind the direction of traffic


Either way you need to rethink your acl.


Jon

pener1963 Tue, 12/08/2009 - 07:34
User Badges:

Jon,


I am trying to apply this access list to outbound traffic. That is traffic leaving the VLAN. This is what I would call egress filtering. I want to limit what the guests can connect to. I really am not to worried about what can connect to the guests right now. So the acl looks like this on the core switch:



ip access-group guest_access_OUT out (from the VLAN interface)



But you are saying this ACL will only affect traffic entering the VLAN???



That makes no sense to me. This is my first shot at an ACL on a VLAN so please be patcient.

Jon Marshall Tue, 12/08/2009 - 07:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pener1963 wrote:


Jon,


I am trying to apply this access list to outbound traffic. That is traffic leaving the VLAN. This is what I would call egress filtering. I want to limit what the guests can connect to. I really am not to worried about what can connect to the guests right now. So the acl looks like this on the core switch:



ip access-group guest_access_OUT out (from the VLAN interface)



But you are saying this ACL will only affect traffic entering the VLAN???



That makes no sense to me. This is my first shot at an ACL on a VLAN so please be patcient.


Pedro


Traffic leaving the vlan would be traffic coming from clients on that vlan going to some other destination. But if you apply an acl outbound to a vlan interface that affects traffic coming from some destination to clients on that vlan.


If you want to affect traffic leaving the vlan then you would apply the acl inbound and not outbound.


So if you want to control traffic from the guest vlan to other destinations you need to apply the acl inbound on the guest vlan interface.


Jon

Jon Marshall Tue, 12/08/2009 - 07:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pedro


Just to add to last post.


If it helps, think of it from the vlan interface's perspective.


So traffic coming into the interface has to be from clients on that vlan.

Traffic leaving that interface has to be traffic going to clients on that vlan.


As i say, you have written the acl correctly, you have just applied it in the wrong direction.


Jon

pener1963 Tue, 12/08/2009 - 08:23
User Badges:

Jon,


Thank you very much for taking time to explain this. This is big.


OK so I have done as you said and changed the direction of the ACL on the core switch:


ip access-group guest_access_OUT in


And here is the complete ACL now:


Extended IP access list guest_access_OUT
    10 permit udp any any eq domain log (3 matches)
    20 permit udp any any eq bootpc log
    30 permit udp any any eq bootps log (3 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
    50 deny ip any 192.168.0.0 0.0.255.255 log
    60 deny ip any 172.31.0.0 0.0.255.255 log
    70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443 log
    100 deny ip any any log (40 matches



And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:


list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet


I am trying to keep this as simple as possible until I understand how this really works.

Correct Answer
Jon Marshall Tue, 12/08/2009 - 08:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pener1963 wrote:


Jon,


Thank you very much for taking time to explain this. This is big.


OK so I have done as you said and changed the direction of the ACL on the core switch:


ip access-group guest_access_OUT in


And here is the complete ACL now:


Extended IP access list guest_access_OUT
    10 permit udp any any eq domain log (3 matches)
    20 permit udp any any eq bootpc log
    30 permit udp any any eq bootps log (3 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
    50 deny ip any 192.168.0.0 0.0.255.255 log
    60 deny ip any 172.31.0.0 0.0.255.255 log
    70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443 log
    100 deny ip any any log (40 matches



And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:


list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet


I am trying to keep this as simple as possible until I understand how this really works.


Pedro


You need to change line 80 back to what it was originally ie.


80 permit tcp any any eq www


Jon

pener1963 Tue, 12/08/2009 - 08:43
User Badges:

That did it Jon! I thank you, and the case of whisky is on the way!


Pedro

Correct Answer
Jon Marshall Tue, 12/08/2009 - 08:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pener1963 wrote:


That did it Jon! I thank you, and the case of whisky is on the way!


Pedro


Pedro


Glad to have helped


Jon

Actions

This Discussion