04-11-2012 05:31 AM - edited 03-07-2019 06:04 AM
Dear Experts,
I have been facing a very strange issue with cisco access-lists.
Here is the scenario
I have a biomedical server in vlan 100 ( 10.1.100.0/24) and domain client1 on vlan 101 ( 10.1.101.0). I've created an access list to allow traffic from client1( 10.1.101.2) and DC ( 10.1.102.2) to the server and deny others.
ip access-list extended Bio
permit ip host 10.1.101.2 host 10.1.100.2
permit ip host 10.1.102.2 host 10.1.100.2
deny ip any any
Applying to the interface
int vlan 100
ip access-group Bio out
After creating the access-list I can ping from client and dc to the server. I can successfully open the bio software but i cannot view some components .Once I removed the access-list I can see them. However, if login to client1 with workgroup credentials it also works with no pros.
For more informatio, the bio server member of the workgroup not domain
Please any advice
04-11-2012 06:03 AM
It seems that server initiatin additional communication which is not allowed by ACL - it can be some multicast or some authentication via host which is not specified in ACL (as you said that if client1 is authenticated it works).
You can try setting up wireshark or tcpdump on server/clients (based on OS) and see what all flows are triggered when you try to connnect to it. Then add these flows to a IP ACL.
Nik
04-11-2012 06:11 AM
Thanks for your fast response.
What the thing is happening that when I login to client with local administraton I am not enocountered with this issue. But when login with the domain user the problem appears. Once I removed the ACL it works with both account local and domain.
04-11-2012 08:52 AM
Not much aware of how AD works here, but seems that being authenticated through domain you may brin some additional flows into account. Packet sniffere will help you to clarify what are those additional flows existing which is blocked by your ACL.
Nik
04-11-2012 11:52 AM
change the interface vlan 100 as below:
int vlan 100
ip access-group Bio in
remove "ip access-group Bio out"
and update.
Thanks.
Neeraj Jagga
04-11-2012 03:22 PM
Hi,
I would recommend to log the denied packets to your access-list.
This can be achieved by configuring the last entry of your AL like this: deny ip any any log.
Then checks the logs and the denied packets. Finally, modify your AL in order to permit the packets for your streams.
Maybe some packets which are needed for these streams are generated with different source/destination IP which are not permited by the existing AL.
Hope that helps!
Vasilis
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: