Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
5
Replies

Access list issues

Go to solution
Kiley Arena
Level 1
Level 1

‎07-08-2014 08:48 PM - edited ‎03-07-2019 07:59 PM

 

Hello,

 

There has been an access list in place where I work since well before I arrived and it doesn't quite work.  I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches.  It is also used to help in the baselining of pcs.

The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive.  This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it.  I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.

 

Here is access list:

 

ip access-list extended Quarantine_IN_L1

permit icmp any any

permit udp any any eq bootps

permit udp any any eq bootpc

permit upd any any eq domain

permit tcp any eq 3389 any

permit ip any host x.x.x.x (baseline server)

permit ip any host x.x.x.x (share drive)

permit ip any host x.x.x.x (domain controller)

permit ip any host x.x.x.x (domain controller)

ip access-list extended Quarantine_Out_L1

permit icmp any any

permit udp any any eq bootps

permit udp any any eq bootpc

permit udp any an any eq domain

permit tcp any any eq 3389

permit ip host (baseline server) any

permit ip host (share drive) any

permit ip host (domain controller) any

permit ip host (domain controller) any

 

As I said, I tried changing the permit ip host (baseline server) any and ip  any host (baseline server) to permit tcp statements.  That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements.  That also didn't work.

Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!

Thanks,

Kiley

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎07-09-2014 02:45 AM

Hello

Thanks for the additional information - so when a RACL is being applied to an SVI the ACL logic is a bit different

IN  =  Originating from host on that vlan
OUT  = Destined for host within the vlan 

Try amending your acls to accommodate the above logic

res

Paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎07-08-2014 08:56 PM

Duplicate post. 

 

Go here:  https://supportforums.cisco.com/discussion/12251476/access-list-issues

0 Helpful

Go to solution
Kiley Arena
Level 1
Level 1
In response to Leo Laohoo

‎07-08-2014 09:21 PM

Leo,

That was my error; I posted it in the wrong location so I thought I caught it before moving it to the LAN discussion group from the WAN discussion group.

 

Issue should now be in the correct location.

0 Helpful

Go to solution
paul driver
VIP
VIP

‎07-09-2014 01:32 AM

Hello

 

You dont say on what and where  these acls are applied to?
 

Can you provide a simple topology of your network?

Also - "with the existing ACL, they can ping and see the share drive but they cannot access it"

You sure the acls above are prohibiting access and not user/directory permissions on the network share of the domain server?

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Kiley Arena
Level 1
Level 1
In response to paul driver

‎07-09-2014 02:04 AM

Paul,

 

When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL.  I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume.  The ACL is applied to the L3 interface for baselining:

 

int vlan 500

description BASELINE VLAN

ip addres x.x.x.x x.x.x.x

ip access-group Quarantine_IN_L1 in

ip access-group Quarantine_Out_L1 out

ip helper-address x.x.x.x

no ip redirects

no ip unreachables

no ip proxy-arp

 

Thanks,

Kiley

0 Helpful

Go to solution
paul driver
VIP
VIP

‎07-09-2014 02:45 AM

Hello

Thanks for the additional information - so when a RACL is being applied to an SVI the ACL logic is a bit different

IN  =  Originating from host on that vlan
OUT  = Destined for host within the vlan 

Try amending your acls to accommodate the above logic

res

Paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card