cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2070
Views
0
Helpful
11
Replies

VLAN Access List

Pete89
Level 2
Level 2

Hello,

As part of a guest access project I have rolled out a Clean Access Server. So when a consultant comes in and needs Internet access she can get it by first logging on the NAC appliance and then is forced into the guest VLAN.

So now I need to create a Access List that will:

  • Allow the machine to get DHCP information
  • Allow DNS lookups against internal DNS Server
  • Allow access to http and https pages OUTSIDE the company
  • Deny everything else

Pretty simple right? So I created an access called guest_access_OUT:

    10 permit udp any eq domain any (68 matches)
    20 permit udp any any eq bootpc (1 match)
    30 permit udp any any eq bootps (7 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (785 matches)
    50 deny ip any 192.168.0.0 0.0.255.255
    60 deny ip any 172.31.0.0 0.0.255.255
    70 deny ip any 172.16.0.0 0.0.255.255
    80 permit tcp any any eq www
    90 permit tcp any any eq 443
    100 deny ip any any log

This is being applied to outbound traffic on the VLAN interface on the 4507 core switch. Users in this VLAN are on the 10.1.38.x network. So far I can get DNS and DHCP to work but I cant seem get the http/https internal/external piece to work. I am seeing this in the core switch:

list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets

So the first packet is making it out but return traffic is being blocked. I put an allow all type inbound access list on the VLAN interface but did not help. I also tried adding the tcp established but that allowed access to the internal websites as well.

I know I am doing something very silly wrong, but I have been looking at this too long and need a third eye for help.

Thanks,

Pedro

2 Accepted Solutions

Accepted Solutions

pener1963 wrote:

Jon,

Thank you very much for taking time to explain this. This is big.

OK so I have done as you said and changed the direction of the ACL on the core switch:

ip access-group guest_access_OUT in

And here is the complete ACL now:

Extended IP access list guest_access_OUT
    10 permit udp any any eq domain log (3 matches)
    20 permit udp any any eq bootpc log
    30 permit udp any any eq bootps log (3 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
    50 deny ip any 192.168.0.0 0.0.255.255 log
    60 deny ip any 172.31.0.0 0.0.255.255 log
    70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443 log
    100 deny ip any any log (40 matches


And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:

list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet

I am trying to keep this as simple as possible until I understand how this really works.

Pedro

You need to change line 80 back to what it was originally ie.

80 permit tcp any any eq www

Jon

View solution in original post

pener1963 wrote:

That did it Jon! I thank you, and the case of whisky is on the way!

Pedro

Pedro

Glad to have helped

Jon

View solution in original post

11 Replies 11

Pete89
Level 2
Level 2

OK the plot thickens a little. I am getting this on the edge fiewall at the same time I am trying to access Google from the guest VLAN:

No matching connection for ICMP error message: icmp src inside:10.1.1.1 dst outside 74.125.93.147 (type 3, code 13) on inside interface. Original IP payload: tcp src 74.125.93.147/80 dst 10.1.38.100/1179

Not too sure if this is part of the problem or not.

Jon Marshall
Hall of Fame
Hall of Fame

pener1963 wrote:

Hello,

As part of a guest access project I have rolled out a Clean Access Server. So when a consultant comes in and needs Internet access she can get it by first logging on the NAC appliance and then is forced into the guest VLAN.

So now I need to create a Access List that will:

  • Allow the machine to get DHCP information
  • Allow DNS lookups against internal DNS Server
  • Allow access to http and https pages OUTSIDE the company
  • Deny everything else

Pretty simple right? So I created an access called guest_access_OUT:

    10 permit udp any eq domain any (68 matches)
    20 permit udp any any eq bootpc (1 match)
    30 permit udp any any eq bootps (7 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (785 matches)
    50 deny ip any 192.168.0.0 0.0.255.255
    60 deny ip any 172.31.0.0 0.0.255.255
    70 deny ip any 172.16.0.0 0.0.255.255
    80 permit tcp any any eq www
    90 permit tcp any any eq 443
    100 deny ip any any log

This is being applied to outbound traffic on the VLAN interface on the 4507 core switch. Users in this VLAN are on the 10.1.38.x network. So far I can get DNS and DHCP to work but I cant seem get the http/https internal/external piece to work. I am seeing this in the core switch:

list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets

So the first packet is making it out but return traffic is being blocked. I put an allow all type inbound access list on the VLAN interface but did not help. I also tried adding the tcp established but that allowed access to the internal websites as well.

I know I am doing something very silly wrong, but I have been looking at this too long and need a third eye for help.

Thanks,

Pedro

Pedro

Outbound on a vlan means traffic going to clients on that vlan. So you have this message

list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets

and your acl line for www is

 80 permit tcp any any eq www

but because you have applied it outbound on the vlan interface it's not matching that line ie. src port is 80 in the traffic but your acl line is matching traffic with a destination port of 80

so change the line to

80 permit tcp any eq www any

Jon

Jon,

Thanks for the input, but that is still not working for me. The problem I think is in line 40

Extended IP access list guest_access_OUT
    10 permit udp any eq domain any (72 matches)
    20 permit udp any any eq bootpc (1 match)
    30 permit udp any any eq bootps (10 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (1066 matches)
    50 deny ip any 192.168.0.0 0.0.255.255
    60 deny ip any 172.31.0.0 0.0.255.255
    70 deny ip any 172.16.0.0 0.0.255.255
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443
    100 deny ip any any log

That is incrementing as I try to hit exterior web sites. I know I can get things to work if I put line 80 above line 40, but then my requirement of not allowing internal website access to guests is nixed.

But there has to be a way....right?

pener1963 wrote:

Jon,

Thanks for the input, but that is still not working for me. The problem I think is in line 40

Extended IP access list guest_access_OUT
    10 permit udp any eq domain any (72 matches)
    20 permit udp any any eq bootpc (1 match)
    30 permit udp any any eq bootps (10 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (1066 matches)
    50 deny ip any 192.168.0.0 0.0.255.255
    60 deny ip any 172.31.0.0 0.0.255.255
    70 deny ip any 172.16.0.0 0.0.255.255
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443
    100 deny ip any any log

That is incrementing as I try to hit exterior web sites. I know I can get things to work if I put line 80 above line 40, but then my requirement of not allowing internal website access to guests is nixed.

But there has to be a way....right?

Line 40 will block all ip  traffic other than what is allowed in lines 10, 20 ,30. Not exactly sure what you are trying to achieve with that line. Remember if this acl is applied outbound on the vlan for the guest users then it affects traffic going to the guest users not traffic coming from the guest users. Basically line 40 is a "deny ip any any".

I think the problem is that you have written this acl as though it would be applied inbound on the guest vlan interface but you have applied it outbound ie.

line 40 inbound would stop any of the guest users accessing any 10.0.0.0/24 machine on any port/protocol other than what you have allowed in the previous 3 lines. I'm guessing this is what you want.

So either

1) change the direction of the acl

2) rewrite the acl bearing in mind the direction of traffic

Either way you need to rethink your acl.

Jon

Jon,

I am trying to apply this access list to outbound traffic. That is traffic leaving the VLAN. This is what I would call egress filtering. I want to limit what the guests can connect to. I really am not to worried about what can connect to the guests right now. So the acl looks like this on the core switch:


ip access-group guest_access_OUT out (from the VLAN interface)

But you are saying this ACL will only affect traffic entering the VLAN???

That makes no sense to me. This is my first shot at an ACL on a VLAN so please be patcient.

pener1963 wrote:

Jon,

I am trying to apply this access list to outbound traffic. That is traffic leaving the VLAN. This is what I would call egress filtering. I want to limit what the guests can connect to. I really am not to worried about what can connect to the guests right now. So the acl looks like this on the core switch:


ip access-group guest_access_OUT out (from the VLAN interface)

But you are saying this ACL will only affect traffic entering the VLAN???

That makes no sense to me. This is my first shot at an ACL on a VLAN so please be patcient.

Pedro

Traffic leaving the vlan would be traffic coming from clients on that vlan going to some other destination. But if you apply an acl outbound to a vlan interface that affects traffic coming from some destination to clients on that vlan.

If you want to affect traffic leaving the vlan then you would apply the acl inbound and not outbound.

So if you want to control traffic from the guest vlan to other destinations you need to apply the acl inbound on the guest vlan interface.

Jon

Pedro

Just to add to last post.

If it helps, think of it from the vlan interface's perspective.

So traffic coming into the interface has to be from clients on that vlan.

Traffic leaving that interface has to be traffic going to clients on that vlan.

As i say, you have written the acl correctly, you have just applied it in the wrong direction.

Jon

Jon,

Thank you very much for taking time to explain this. This is big.

OK so I have done as you said and changed the direction of the ACL on the core switch:

ip access-group guest_access_OUT in

And here is the complete ACL now:

Extended IP access list guest_access_OUT
    10 permit udp any any eq domain log (3 matches)
    20 permit udp any any eq bootpc log
    30 permit udp any any eq bootps log (3 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
    50 deny ip any 192.168.0.0 0.0.255.255 log
    60 deny ip any 172.31.0.0 0.0.255.255 log
    70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443 log
    100 deny ip any any log (40 matches


And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:

list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet

I am trying to keep this as simple as possible until I understand how this really works.

pener1963 wrote:

Jon,

Thank you very much for taking time to explain this. This is big.

OK so I have done as you said and changed the direction of the ACL on the core switch:

ip access-group guest_access_OUT in

And here is the complete ACL now:

Extended IP access list guest_access_OUT
    10 permit udp any any eq domain log (3 matches)
    20 permit udp any any eq bootpc log
    30 permit udp any any eq bootps log (3 matches)
    40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
    50 deny ip any 192.168.0.0 0.0.255.255 log
    60 deny ip any 172.31.0.0 0.0.255.255 log
    70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
    80 permit tcp any eq www any log
    90 permit tcp any any eq 443 log
    100 deny ip any any log (40 matches


And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:

list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet

I am trying to keep this as simple as possible until I understand how this really works.

Pedro

You need to change line 80 back to what it was originally ie.

80 permit tcp any any eq www

Jon

That did it Jon! I thank you, and the case of whisky is on the way!

Pedro

pener1963 wrote:

That did it Jon! I thank you, and the case of whisky is on the way!

Pedro

Pedro

Glad to have helped

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: