Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
5
Helpful
5
Replies

Access-List Issue

samirshaikh52
Level 2
Level 2

‎04-11-2012 05:31 AM - edited ‎03-07-2019 06:04 AM

Dear Experts,

I have been facing a very strange issue with cisco access-lists.

Here is the scenario

I have a biomedical server in vlan 100 ( 10.1.100.0/24) and domain client1 on vlan 101 ( 10.1.101.0). I've created an access list to allow traffic from client1( 10.1.101.2) and DC ( 10.1.102.2) to the server and deny others.

ip access-list extended Bio

permit ip host  10.1.101.2 host 10.1.100.2

permit ip host 10.1.102.2 host 10.1.100.2

deny ip any any

Applying to the interface

int vlan 100

ip access-group Bio out

After creating the access-list I can ping from client and dc to the server. I can successfully open the bio software but i cannot view some components .Once I removed the access-list I can see them. However, if login to client1 with workgroup credentials it also works with no pros.

For more informatio, the bio server member of the workgroup not domain

Please any advice

Labels:
0 Helpful
5 Replies 5

nkarpysh
Cisco Employee
Cisco Employee

‎04-11-2012 06:03 AM

It seems that server initiatin additional communication which is not allowed by ACL - it can be some multicast or some authentication via host which is not specified in ACL (as you said that if client1 is authenticated it works).

You can try setting up wireshark or tcpdump on server/clients (based on OS) and see what all flows are triggered when you try to connnect to it. Then add these flows to a IP ACL.

Nik

HTH,
Niko
0 Helpful

samirshaikh52
Level 2
Level 2
In response to nkarpysh

‎04-11-2012 06:11 AM

Thanks for your fast response.

What the thing is happening that when I login to client with local administraton I am not  enocountered with this issue. But when login with the domain user the problem appears. Once I removed the ACL it works with both account local and domain.

0 Helpful

nkarpysh
Cisco Employee
Cisco Employee
In response to samirshaikh52

‎04-11-2012 08:52 AM

Not much aware of how AD works here, but seems that being authenticated through domain you may brin some additional flows into account. Packet sniffere will help you to clarify what are those additional flows existing which is blocked by your ACL.

Nik

HTH,
Niko
0 Helpful

neerajjagga
Level 1
Level 1

‎04-11-2012 11:52 AM

change the interface vlan 100 as below:

int vlan 100

ip access-group Bio in

remove "ip access-group Bio out"

and update.

Thanks.

Neeraj Jagga

0 Helpful

Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3

‎04-11-2012 03:22 PM

Hi,

I would recommend to log the denied packets to your access-list.

This can be achieved by configuring the last entry of your AL like this: deny ip any any log.

Then checks the logs and the denied packets. Finally, modify your AL in order to permit the packets for your streams.

Maybe some packets which are needed for these streams are generated with different source/destination IP which are not permited by the existing AL.

Hope that helps!

Vasilis

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card