Hello.
I have a testing machine that sits on a public IP. Alarm bell #1. Unfortunately I can not change the IP of the device. It HAS to be on this IP.
The issue is that this means that everybody and their dog on the internet is trying to break into it.
I changed the access list to only permit my specific subnet, which is good, but it is not allowing traffic through. I am not a routing guy, and the routing guy leaves permit ip any any on the end of the ACL...which correct me if I'm wrong...kind of makes the whole thing pointless. There are more than one of these. MINE is specifically for testing, so the permit ip any any is no longer in play...which apparently is where I lose traffic.
To my understanding, it basically says "here's a bunch of subnets that are allowed, now permit ip any any, now everybody else is, too."
So if I set up like this, with ACL 150 being inbound and 160 being outbound....
access-list 150 permit ip 10.10.1.0 0.0.0.255 any remark "my connection"
access-list 150 permit ip 10.10.2.0 0.0.0.255 any remark "myDHCPserverishere"
access-list 150 permit ip 10.10.3.0 0.0.0.255 any remark "publicIP'shere"
access-list 160 permit ip any any
I would think that this would work. Unfortunately, this device has a bunch of addresses that also have public IP's, but we'll say that they're on the 10.10.3.0 0.0.0.255 subnet for the exercise.
Since outbound is permit ip any any, that shouldn't matter.
My first thought is that I need a routing process, but this device is not set up as a router.
Is there a way to permit traffic to go through a LAG port but also keep said traffic from having access to the machine it runs through?
I need a way for my subnets to pass traffic THROUGH the device, keep anything on those subnets from accessing MANAGEMENT on the device (IE logging into it), and keep the rest of the internet off of the device itself.
No comments:
Post a Comment