The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Help me Cisco nerds, you're my only hope!
Locust76
Registered User regular
Registered User regular
Arrrg... this is so frustrating!
I've got a large layer 2 switched network with a layer 3 switch (Catalyst 3750 Stack) in the center doing inter-VLAN routing, which works just fine. The network is pure Cisco to the relevant parts.
I'm attempting to take one of the VLANs and secure it so that clients and servers within that VLAN can only communicate to a few helper servers and an external network through a VPN. Currently it can do all that it needs to do, but it can still be accessed by outside VLANS. For example, VLAN 50 can still send ping packets to VLAN 69, even though I might not want that.
I've been playing around with ACLs. I set up a laptop next to my workstation, put it in Test_VLAN 199, gave it a static IP, working gateway, DNS, the whole 9. For all intents and purposes, VLAN 199 works. However, as soon as I attempt to apply an ACL to it, things get WONKY.
For example, I attempt to constantly ping my workstation from the laptop in VLAN 199. It works, but as soon as I put up an ACL expressly permitting outbound packets from the IP pool in VLAN 199 TO my workstation, it dies, and cannot send any more pings out. I thought maybe it was also blocking the gateways, but that didn't help
The config looks a lil somethin like this: (IPs censored for the sake of my job
)
int vlan 199
ip address x.x.x.1 255.255.255.0
ip access-group 106 out
access-list 106 permit ip x.x.x.0 0.0.0.255 host z.z.z.z
access-list 106 deny ip any any (optional)
From what I understand, this should be allowing outbound packets from the IP pool x.x.x.0 to the specific host, but when I turn it on, "ping z.z.z.z" can no longer reach the host.
This makes no sense! Help me understand what I'm doing/thinking wrong!
Edit: I've also used RDP to try to access the computer in the test network, so it's not just ping that's dying
I've got a large layer 2 switched network with a layer 3 switch (Catalyst 3750 Stack) in the center doing inter-VLAN routing, which works just fine. The network is pure Cisco to the relevant parts.
I'm attempting to take one of the VLANs and secure it so that clients and servers within that VLAN can only communicate to a few helper servers and an external network through a VPN. Currently it can do all that it needs to do, but it can still be accessed by outside VLANS. For example, VLAN 50 can still send ping packets to VLAN 69, even though I might not want that.
I've been playing around with ACLs. I set up a laptop next to my workstation, put it in Test_VLAN 199, gave it a static IP, working gateway, DNS, the whole 9. For all intents and purposes, VLAN 199 works. However, as soon as I attempt to apply an ACL to it, things get WONKY.
For example, I attempt to constantly ping my workstation from the laptop in VLAN 199. It works, but as soon as I put up an ACL expressly permitting outbound packets from the IP pool in VLAN 199 TO my workstation, it dies, and cannot send any more pings out. I thought maybe it was also blocking the gateways, but that didn't help
The config looks a lil somethin like this: (IPs censored for the sake of my job
)int vlan 199
ip address x.x.x.1 255.255.255.0
ip access-group 106 out
access-list 106 permit ip x.x.x.0 0.0.0.255 host z.z.z.z
access-list 106 deny ip any any (optional)
From what I understand, this should be allowing outbound packets from the IP pool x.x.x.0 to the specific host, but when I turn it on, "ping z.z.z.z" can no longer reach the host.
This makes no sense! Help me understand what I'm doing/thinking wrong!
Edit: I've also used RDP to try to access the computer in the test network, so it's not just ping that's dying
Locust76 on
0
Posts
The only other thought would be that it requires the ACL to be set up bidirectional or it will kill return packets... but that is a bitch to manage, and may or may not be applicable.
EDIT: Actually IP contains icmp so that looks ok if the IP's are right. Can you post a show access-lists?
Also my understanding of best practices says put the ACLs close to the packet source - so on the interface for the other vlans and you'd explicitly deny traffic destined for the 199vlan. The way you're setting it up now, outside systems can send IP traffic to your protected subnet, but return traffic will be denied. That's messy.
The primary reasoning behind this is not necessarily keep traffic from going into the network, but to stop this network from having access to the rest of our production network, while still allowing it to access things like our DNS and WSUS servers.
Just for shits and giggles, however, here is the "finalized" ACL
[test vlan IP pool] = x.x.x.0 0.0.0.255
[some server] = a single IP address
[some IP pool] = y.y.y.0 0.0.0.255
If I understand it properly, this list allows outbound traffic to only those IPs and pools I've specified, while blocking requests to the others. This list, by the way, sits on the Layer 3 switch where all VLAN traffic is routed.
Like DNS - You're allowing full IP to a server that needs a single port. DNS example: http://www.donelan.com/dnsacl-min-cisco.html
I think you're on the right track, just need to tighten the screws.
Network Secret: