Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list issues

 

Hello,

 

There has been an access list in place where I work since well before I arrived and it doesn't quite work.  I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches.  It is also used to help in the baselining of pcs.

The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive.  This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it.  I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.

 

Here is access list:

 

ip access-list extended Quarantine_IN_L1

permit icmp any any

permit udp any any eq bootps

permit udp any any eq bootpc

permit upd any any eq domain

permit tcp any eq 3389 any

permit ip any host x.x.x.x (baseline server)

permit ip any host x.x.x.x (share drive)

permit ip any host x.x.x.x (domain controller)

permit ip any host x.x.x.x (domain controller)

ip access-list extended Quarantine_Out_L1

permit icmp any any

permit udp any any eq bootps

permit udp any any eq bootpc

permit udp any an any eq domain

permit tcp any any eq 3389

permit ip host (baseline server) any

permit ip host (share drive) any

permit ip host (domain controller) any

permit ip host (domain controller) any

 

As I said, I tried changing the permit ip host (baseline server) any and ip  any host (baseline server) to permit tcp statements.  That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements.  That also didn't work.

Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!

Thanks,

Kiley

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

HelloThanks for the

Hello

Thanks for the additional information - so when a RACL is being applied to an SVI the ACL logic is a bit different

IN  =  Originating from host on that vlan
OUT  = Destined for host within the vlan 

Try amending your acls to accommodate the above logic

res

Paul

 

 

Please don't forget to rate any posts that have been helpful. Thanks.
5 REPLIES
Hall of Fame Super Gold

Duplicate post.  Go here:

Duplicate post. 

 

Go here:  https://supportforums.cisco.com/discussion/12251476/access-list-issues

New Member

Leo,That was my error; I

Leo,

That was my error; I posted it in the wrong location so I thought I caught it before moving it to the LAN discussion group from the WAN discussion group.

 

Issue should now be in the correct location.

Hello You dont say on what

Hello

 

You dont say on what and where  these acls are applied to?
 

Can you provide a simple topology of your network?

Also - "with the existing ACL, they can ping and see the share drive but they cannot access it"

You sure the acls above are prohibiting access and not user/directory permissions on the network share of the domain server?

 

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Paul, When I remove the ACL,

Paul,

 

When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL.  I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume.  The ACL is applied to the L3 interface for baselining:

 

int vlan 500

description BASELINE VLAN

ip addres x.x.x.x x.x.x.x

ip access-group Quarantine_IN_L1 in

ip access-group Quarantine_Out_L1 out

ip helper-address x.x.x.x

no ip redirects

no ip unreachables

no ip proxy-arp

 

Thanks,

Kiley

HelloThanks for the

Hello

Thanks for the additional information - so when a RACL is being applied to an SVI the ACL logic is a bit different

IN  =  Originating from host on that vlan
OUT  = Destined for host within the vlan 

Try amending your acls to accommodate the above logic

res

Paul

 

 

Please don't forget to rate any posts that have been helpful. Thanks.
100
Views
0
Helpful
5
Replies
CreatePlease to create content