12-08-2009 05:18 AM - edited 03-11-2019 09:46 AM
Hello,
As part of a guest access project I have rolled out a Clean Access Server. So when a consultant comes in and needs Internet access she can get it by first logging on the NAC appliance and then is forced into the guest VLAN.
So now I need to create a Access List that will:
Pretty simple right? So I created an access called guest_access_OUT:
10 permit udp any eq domain any (68 matches)
20 permit udp any any eq bootpc (1 match)
30 permit udp any any eq bootps (7 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (785 matches)
50 deny ip any 192.168.0.0 0.0.255.255
60 deny ip any 172.31.0.0 0.0.255.255
70 deny ip any 172.16.0.0 0.0.255.255
80 permit tcp any any eq www
90 permit tcp any any eq 443
100 deny ip any any log
This is being applied to outbound traffic on the VLAN interface on the 4507 core switch. Users in this VLAN are on the 10.1.38.x network. So far I can get DNS and DHCP to work but I cant seem get the http/https internal/external piece to work. I am seeing this in the core switch:
list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets
So the first packet is making it out but return traffic is being blocked. I put an allow all type inbound access list on the VLAN interface but did not help. I also tried adding the tcp established but that allowed access to the internal websites as well.
I know I am doing something very silly wrong, but I have been looking at this too long and need a third eye for help.
Thanks,
Pedro
Solved! Go to Solution.
12-08-2009 08:29 AM
pener1963 wrote:
Jon,
Thank you very much for taking time to explain this. This is big.
OK so I have done as you said and changed the direction of the ACL on the core switch:
ip access-group guest_access_OUT in
And here is the complete ACL now:
Extended IP access list guest_access_OUT
10 permit udp any any eq domain log (3 matches)
20 permit udp any any eq bootpc log
30 permit udp any any eq bootps log (3 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
50 deny ip any 192.168.0.0 0.0.255.255 log
60 deny ip any 172.31.0.0 0.0.255.255 log
70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
80 permit tcp any eq www any log
90 permit tcp any any eq 443 log
100 deny ip any any log (40 matches
And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet
I am trying to keep this as simple as possible until I understand how this really works.
Pedro
You need to change line 80 back to what it was originally ie.
80 permit tcp any any eq www
Jon
12-08-2009 08:45 AM
pener1963 wrote:
That did it Jon! I thank you, and the case of whisky is on the way!
Pedro
Pedro
Glad to have helped
Jon
12-08-2009 05:55 AM
OK the plot thickens a little. I am getting this on the edge fiewall at the same time I am trying to access Google from the guest VLAN:
No matching connection for ICMP error message: icmp src inside:10.1.1.1 dst outside 74.125.93.147 (type 3, code 13) on inside interface. Original IP payload: tcp src 74.125.93.147/80 dst 10.1.38.100/1179
Not too sure if this is part of the problem or not.
12-08-2009 06:44 AM
pener1963 wrote:
Hello,
As part of a guest access project I have rolled out a Clean Access Server. So when a consultant comes in and needs Internet access she can get it by first logging on the NAC appliance and then is forced into the guest VLAN.
So now I need to create a Access List that will:
Pretty simple right? So I created an access called guest_access_OUT:
10 permit udp any eq domain any (68 matches)
20 permit udp any any eq bootpc (1 match)
30 permit udp any any eq bootps (7 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (785 matches)
50 deny ip any 192.168.0.0 0.0.255.255
60 deny ip any 172.31.0.0 0.0.255.255
70 deny ip any 172.16.0.0 0.0.255.255
80 permit tcp any any eq www
90 permit tcp any any eq 443
100 deny ip any any log
This is being applied to outbound traffic on the VLAN interface on the 4507 core switch. Users in this VLAN are on the 10.1.38.x network. So far I can get DNS and DHCP to work but I cant seem get the http/https internal/external piece to work. I am seeing this in the core switch:
list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets
So the first packet is making it out but return traffic is being blocked. I put an allow all type inbound access list on the VLAN interface but did not help. I also tried adding the tcp established but that allowed access to the internal websites as well.
I know I am doing something very silly wrong, but I have been looking at this too long and need a third eye for help.
Thanks,
Pedro
Pedro
Outbound on a vlan means traffic going to clients on that vlan. So you have this message
list guest_access_OUT denied tcp 64.233.169.99(80) -> 10.1.38.100(1174), 4 packets
and your acl line for www is
80 permit tcp any any eq www
but because you have applied it outbound on the vlan interface it's not matching that line ie. src port is 80 in the traffic but your acl line is matching traffic with a destination port of 80
so change the line to
80 permit tcp any eq www any
Jon
12-08-2009 07:01 AM
Jon,
Thanks for the input, but that is still not working for me. The problem I think is in line 40
Extended IP access list guest_access_OUT
10 permit udp any eq domain any (72 matches)
20 permit udp any any eq bootpc (1 match)
30 permit udp any any eq bootps (10 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (1066 matches)
50 deny ip any 192.168.0.0 0.0.255.255
60 deny ip any 172.31.0.0 0.0.255.255
70 deny ip any 172.16.0.0 0.0.255.255
80 permit tcp any eq www any log
90 permit tcp any any eq 443
100 deny ip any any log
That is incrementing as I try to hit exterior web sites. I know I can get things to work if I put line 80 above line 40, but then my requirement of not allowing internal website access to guests is nixed.
But there has to be a way....right?
12-08-2009 07:20 AM
pener1963 wrote:
Jon,
Thanks for the input, but that is still not working for me. The problem I think is in line 40
Extended IP access list guest_access_OUT
10 permit udp any eq domain any (72 matches)
20 permit udp any any eq bootpc (1 match)
30 permit udp any any eq bootps (10 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (1066 matches)
50 deny ip any 192.168.0.0 0.0.255.255
60 deny ip any 172.31.0.0 0.0.255.255
70 deny ip any 172.16.0.0 0.0.255.255
80 permit tcp any eq www any log
90 permit tcp any any eq 443
100 deny ip any any logThat is incrementing as I try to hit exterior web sites. I know I can get things to work if I put line 80 above line 40, but then my requirement of not allowing internal website access to guests is nixed.
But there has to be a way....right?
Line 40 will block all ip traffic other than what is allowed in lines 10, 20 ,30. Not exactly sure what you are trying to achieve with that line. Remember if this acl is applied outbound on the vlan for the guest users then it affects traffic going to the guest users not traffic coming from the guest users. Basically line 40 is a "deny ip any any".
I think the problem is that you have written this acl as though it would be applied inbound on the guest vlan interface but you have applied it outbound ie.
line 40 inbound would stop any of the guest users accessing any 10.0.0.0/24 machine on any port/protocol other than what you have allowed in the previous 3 lines. I'm guessing this is what you want.
So either
1) change the direction of the acl
2) rewrite the acl bearing in mind the direction of traffic
Either way you need to rethink your acl.
Jon
12-08-2009 07:34 AM
Jon,
I am trying to apply this access list to outbound traffic. That is traffic leaving the VLAN. This is what I would call egress filtering. I want to limit what the guests can connect to. I really am not to worried about what can connect to the guests right now. So the acl looks like this on the core switch:
ip access-group guest_access_OUT out (from the VLAN interface)
But you are saying this ACL will only affect traffic entering the VLAN???
That makes no sense to me. This is my first shot at an ACL on a VLAN so please be patcient.
12-08-2009 07:50 AM
pener1963 wrote:
Jon,
I am trying to apply this access list to outbound traffic. That is traffic leaving the VLAN. This is what I would call egress filtering. I want to limit what the guests can connect to. I really am not to worried about what can connect to the guests right now. So the acl looks like this on the core switch:
ip access-group guest_access_OUT out (from the VLAN interface)But you are saying this ACL will only affect traffic entering the VLAN???
That makes no sense to me. This is my first shot at an ACL on a VLAN so please be patcient.
Pedro
Traffic leaving the vlan would be traffic coming from clients on that vlan going to some other destination. But if you apply an acl outbound to a vlan interface that affects traffic coming from some destination to clients on that vlan.
If you want to affect traffic leaving the vlan then you would apply the acl inbound and not outbound.
So if you want to control traffic from the guest vlan to other destinations you need to apply the acl inbound on the guest vlan interface.
Jon
12-08-2009 07:53 AM
Pedro
Just to add to last post.
If it helps, think of it from the vlan interface's perspective.
So traffic coming into the interface has to be from clients on that vlan.
Traffic leaving that interface has to be traffic going to clients on that vlan.
As i say, you have written the acl correctly, you have just applied it in the wrong direction.
Jon
12-08-2009 08:23 AM
Jon,
Thank you very much for taking time to explain this. This is big.
OK so I have done as you said and changed the direction of the ACL on the core switch:
ip access-group guest_access_OUT in
And here is the complete ACL now:
Extended IP access list guest_access_OUT
10 permit udp any any eq domain log (3 matches)
20 permit udp any any eq bootpc log
30 permit udp any any eq bootps log (3 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
50 deny ip any 192.168.0.0 0.0.255.255 log
60 deny ip any 172.31.0.0 0.0.255.255 log
70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
80 permit tcp any eq www any log
90 permit tcp any any eq 443 log
100 deny ip any any log (40 matches
And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:
list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet
I am trying to keep this as simple as possible until I understand how this really works.
12-08-2009 08:29 AM
pener1963 wrote:
Jon,
Thank you very much for taking time to explain this. This is big.
OK so I have done as you said and changed the direction of the ACL on the core switch:
ip access-group guest_access_OUT in
And here is the complete ACL now:
Extended IP access list guest_access_OUT
10 permit udp any any eq domain log (3 matches)
20 permit udp any any eq bootpc log
30 permit udp any any eq bootps log (3 matches)
40 deny ip any 10.0.0.0 0.255.255.255 log (40 matches)
50 deny ip any 192.168.0.0 0.0.255.255 log
60 deny ip any 172.31.0.0 0.0.255.255 log
70 deny ip any 172.16.0.0 0.0.255.255 log (90 matches)
80 permit tcp any eq www any log
90 permit tcp any any eq 443 log
100 deny ip any any log (40 matches
And again I want guests to get to exterior websites only. They should not be able to get to my internal network which are the ideas behind 50,60 and 70, yet I still see this on the core switch when trying to get to google from the guest VLAN:list guest_access_OUT denied tcp 10.1.38.100(2363) -> 64.233.169.105(80), 1 packet
I am trying to keep this as simple as possible until I understand how this really works.
Pedro
You need to change line 80 back to what it was originally ie.
80 permit tcp any any eq www
Jon
12-08-2009 08:43 AM
That did it Jon! I thank you, and the case of whisky is on the way!
Pedro
12-08-2009 08:45 AM
pener1963 wrote:
That did it Jon! I thank you, and the case of whisky is on the way!
Pedro
Pedro
Glad to have helped
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: