We have Windows XP workstation that we want to isolate from our entire LAN and our Internet gateway (outbound) with the exception of one server (inbound) This server simply needs to map a drive letter to a fileshare on the XP client, copy a flat file export from the XP client once a day, and close the fileshare back up when done.
The Server side of the equation:
Cisco Catalyst 6509 in hybrid mode
IOS 12.1(13)E on the MSFC2 (sup1a)
VTP v2 Server
802.1q is enabled on all trunks to our 2950's in edge closets.
HP Proliant G4 with HP nic teaming driver. This server has a static up of 10.10.5.35 and it's ports are members of our "VLAN 10" (10.10.x.x/16)
The Client Side of the equation:
running IOS 12.1(9)EA1
VTP v2 Client
Connected to the Catalyst 6509 above with one 100FX trunk 802.1q enabled
Intel P4 clone running Windows XP Pro SP2
Generic 10/100 NIC driver with no 802.1q support. It's connected to a switchport with static access to our "VLAN 70" (10.70.x.x/16)
What would be the best way to design this to meet the goal at the top?
The simplest way to do this is just to create a new vlan purely for the XP client and then use L3 acls to lock down the traffic.
eg server address 192.168.5.1.
client address 192.168.10.1
access-list 101 permit ip host 192.168.5.1 host 192.168.10.1
access-list 101 deny ip any any
access-list 102 permit ip host 192.168.10.1 host 192.168.5.1
access-list 102 deny ip any any
int vlan 80 (new vlan fro XP client)
ip access-group 101 out
ip access-group 102 in
Thanks for the reply Jon.
Unfortunately, I now seem to have a basic lack of understanding on how to route between those 2 vlans.
Keeping with my example, forgetting about ACL's for the moment since I can't seem to even establish basic IP connectivity between my 2 hosts, this is my setup so far.
2003 Server host
10.10.5.35 - host IP address
255.255.0.0 - subnet mask
10.10.4.1 - default gateway
Catalyst port(s) are members of VLAN 10 (10.10.0.0/16)
Server network ip routing environment:
Catalyst 6509 - CatOS side
core-switch> (enable) show ip route
Fragmentation Redirect Unreachable
------------- -------- -----------
enabled enabled enabled
The primary gateway: 10.30.1.1
Destination Gateway RouteMask Flags Use Interface
--------------- --------------- ---------- ----- -------- ---------
default 10.30.1.1 0x0 UG 122588 sc0
10.30.1.0 10.30.1.10 0xffffff00 U 160 sc0
default default 0xff000000 UH 0 sl0
Catalyst 6509 - IOS side
core-router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.10.0.0/16 is directly connected, Vlan10
S 10.15.0.0/16 [1/0] via 192.168.1.1
C 10.30.7.0/24 is directly connected, Vlan7
C 10.30.1.0/24 is directly connected, Vlan1
C 10.30.9.0/24 is directly connected, Vlan9
C 10.70.0.0/16 is directly connected, Vlan70
S 188.8.131.52/24 [1/0] via 192.168.1.1
C 192.168.1.0/24 is directly connected, Vlan99
S* 0.0.0.0/0 [1/0] via 192.168.1.1
XP client host
10.70.1.101 - host IP address
255.255.0.0 - subnet mask
10.70.1.1 - default gateway
Switchport access VLAN 70 (10.70.0.0/16)
Client network ip environment
The trunk interface to our Catalyst 6509 above:
switchport trunk allowed vlan 1,10,70,1002-1005
switchport mode trunk
no ip address
The switchport the XP client is connected to
switchport access vlan 70
switchport mode access
no ip address
From the XP client I can ping the default gateway for VLAN 70 @ 10.70.1.1 but I can NOT ping the server @ 10.10.5.35.
From the Server I can also ping the default gateway at 10.70.1.1 but not the host at 10.70.1.101.
I'm assuming this is a basic routing problem between VLAN 70 and VLAN 10 or vice versa.
From the "core router" on the 6509 (telneted into 10.30.1.1) I can also ping 10.70.1.1 but neither of the hosts 10.10.5.35 nor 10.70.1.101.
What am I doing wrong? What am I missing here?
Are you pinging from the MSFC to the client and the server ?
Can you check if you have any firewalls running on the client and the server that could be blocking incoming icmp requests.
What I did was ping from the MSFC router (in a telnet session from another workstation in VLAN 10) to both server and client which fails.
I just tried this from the switch console and I can ping the client and it's net gateway but not the server?
I did disable the XP firewall on the client while testing both times. I also verified that ICS service and the Windows firewall were disabled on the 2003 server. There are no other 3rd party firewalls installed on either server or client.
Routing problem resolved. I had been messing about with the HP network config utility on the 2003 server and inadvertantly ended up setting it upto use DHCP instead of it's normal static IP address of 10.10.5.35.
I can now ping both server and client from either direction and from both the 6509 console or the msfc. :)
I think I spoke to soon about this being resolved. It is true that I can ping in all directions from either the server, client, or MSFC now, HOWEVER, I cannot map a file share?
Keep in mind I'm using peer-to-peer networking principles as I've put this XP client workstation into a workgroup named "PTFC". "PTFC" is also the name of our AD domain that this 2003 server is a member of.
I've tried this from a command prompt on the 2003 server in VLAN 10 and got this error:
C:\>net use k: \\10.70.1.101\fileoutput pw6394!z /user:forteshare
System error 53 has occurred.
The network path was not found.
Then I tried it from the gui, i.e. right-clicked on the 'My Computer' icon selecting 'map network drive' and I get this error pop-up:
"The network path \\10.70.1.101\fileoutput cannot be found."
My thinking is that this might be Microsoft NBT name resolution issue with either WINS, NetBIOS, or DNS. If so, do I need to enable an 'IP Helper' on each switch and/or setup browsers, WINS, or DNS servers in VLAN 70?
The really puzzling thing now is that I CAN map file shares from the other direction.
From the XP workstation in VLAN 70 I can map any file share in VLAN 10 just fine from the GUI or the command line (net use command).
Why doesn't this work from the other direction starting at the 2003 server?
If I disable the Windows XP firewall drive mapping from the 2003 server to this workstation works just fine. I do have 'File and Printer Sharing' in the XP firewall exception list but apparently that doesn't open up all the right ports.
(I'm just putting all this down in case it helps someone else even more challenged than I - lol)
Hi Paul, my solution is as follows;
Within your already configured VLAN you can apply a VACL without having to introduce another subnet or VLAN for a host device only.
VLAN 10 IP: 192.168.1.0 255.255.255.0
Host IP: 192.168.1.10 255.255.255.0
Server IP: 192.168.1.15 255.255.255.0
First define the ip traffic you want to have control over on the switch:
Switch(config)#ip access-list extented acl1
-acl)#permit ip host 192.168.1.10 host 192.168.1.15
Switch(config)#ip access-list extented acl2
-acl)#permit ip host 192.168.1.10 192.168.1.0 0.0.0.255
Then define the VLAN on which you need to filter traffic:
Switch(config)#vlan access-map vacl1 10
access-map)#match ip address acl1
Switch(config)#vlan access-map vacl1 20
access-map)#match ip address acl2
To allow any different traffic:
Switch(config)#vlan access-map vacl1 30
Switch(config)#vlan filter vacl1 vlan-list 10
What does this workstation do?
Since you are initiating a file-share on a Windows server and that is all you want, why not limit it to a set of ports, or better yet create an sftp, ftp, or even webdav site and lock you ACLs down a bit more. By saying allow all IP between client and server, you are allowing ALL IP traffic, that includes TCP, and UDP. While it might meet your requirement of file sharing it also allows access to all open ports on that server.
So a typical 2003 install with HP would look something like this.
TCP 80 - ISS installed cause of HP management suite
135 MS RPC
1067 Installation Bootstrap Service Installation Bootstrap protocol server
2301 Insight Web agents
2381 HP Management HTTPS
3389 Terminal Server Port
Some of these ports have widely know exploits, that could be leveraged against the server. BTW, if you gain access to the server, it really does not matter what restrictions I have on the PC, the server will be the step off point to the rest of your network.
So I would do these two things.
Vlan the xp box out, into a restricted IP range, keep it as tight a you can with only a small number of extra IP addresses. And not your current /24 subnet.
An in and out access list, but limit the ACL only to the port assignments you need to do the function. Yes it is a little harder todo, but in the long run you will get more sleep.
Depending on who initiates the file transfers - I would recommend the server. You can really tighten down the ACL on the PC side and the server side could end up with a two line ACL. First line permit second line deny IP any any.
yes you are right in that the acl should be tied down but then once you open up the file sharing ports it's debatable as to how secure you can really make it with an acl. That's why it's best to put the XP machine on it's own subnet.
Ideally, both the client and the server should only be running services that are actually needed.
This workstation collects data from serial devices that monitor our production line.
It monitors quality control and keeps inventory of units produced. All of this data gets exported into a flat text file that we want to copy once a day to a common file share point which is mapped for our office users to a drive letter with a login script.
Your point about tightening up the ACL to needed ports is well taken.