I have been facing a very strange issue with cisco access-lists.
Here is the scenario
I have a biomedical server in vlan 100 ( 10.1.100.0/24) and domain client1 on vlan 101 ( 10.1.101.0). I've created an access list to allow traffic from client1( 10.1.101.2) and DC ( 10.1.102.2) to the server and deny others.
ip access-list extended Bio
permit ip host 10.1.101.2 host 10.1.100.2
permit ip host 10.1.102.2 host 10.1.100.2
deny ip any any
Applying to the interface
int vlan 100
ip access-group Bio out
After creating the access-list I can ping from client and dc to the server. I can successfully open the bio software but i cannot view some components .Once I removed the access-list I can see them. However, if login to client1 with workgroup credentials it also works with no pros.
For more informatio, the bio server member of the workgroup not domain
It seems that server initiatin additional communication which is not allowed by ACL - it can be some multicast or some authentication via host which is not specified in ACL (as you said that if client1 is authenticated it works).
You can try setting up wireshark or tcpdump on server/clients (based on OS) and see what all flows are triggered when you try to connnect to it. Then add these flows to a IP ACL.
What the thing is happening that when I login to client with local administraton I am not enocountered with this issue. But when login with the domain user the problem appears. Once I removed the ACL it works with both account local and domain.
Not much aware of how AD works here, but seems that being authenticated through domain you may brin some additional flows into account. Packet sniffere will help you to clarify what are those additional flows existing which is blocked by your ACL.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...