Wednesday, December 20, 2017

I need help with an ACL

Hi all,

I am trying to make an ACL on my layer 3 switches (in HSRP) that would allow a new VLAN on my network to be accessible via RDP and ICMP from all other user VLAN's. Also, the server VLAN needs to do ICMP as well as TCP and UDP 445 to this new VLAN. And the new VLAN needs to access the following on the server VLAN:

UDP Port 88 for Kerberos authentication UDP and TCP 135 for domain controllers-to-domain controller and client to domain controller operations. UDP 389 for LDAP to handle normal queries from client computers to the domain controllers. TCP and UDP Port 464 for Kerberos Password Change TCP Port 3268 and 3269 for Global Catalog from client to domain controller. TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. TCP & UDP 49152-65535 the ephemeral ports are required ICMP (Echo)

The following are the VLAN id's with the co-responding names: vlan 20: Server VLAN Vlan 30-40: all regular user vlan's vlan 184: new restricted vlan

The following is what I have currently in my ACL but its not working properly:

ip access-list extended RESTRICT-VLAN184-IN remark Allow ICMP permit icmp any any echo-reply remark Allow RDP permit tcp any any eq 3389 permit udp any any eq 3389 remark Allow VLAN20 permit tcp any 10.10.20.0 0.0.3.255 eq www permit tcp any 10.10.20.0 0.0.3.255 eq domain permit tcp any 10.10.20.0 0.0.3.255 eq 443 permit tcp any 10.10.20.0 0.0.3.255 eq 52230 permit tcp any 10.10.20.0 0.0.3.255 eq 135 permit tcp any 10.10.20.0 0.0.3.255 eq 464 permit tcp any 10.10.20.0 0.0.3.255 range 3268 3269 permit tcp any 10.10.20.0 0.0.3.255 range 49152 65535 permit udp any 10.10.20.0 0.0.3.255 eq domain permit udp any 10.10.20.0 0.0.3.255 eq 88 permit udp any 10.10.20.0 0.0.3.255 eq 135 permit udp any 10.10.20.0 0.0.3.255 eq 389 permit udp any 10.10.20.0 0.0.3.255 eq 464 permit udp any 10.10.20.0 0.0.3.255 range 49152 65535 remark Deny all other VLANS deny ip any 10.10.0.0 0.0.255.255 remark Allow internet permit ip any any

Applying the ACL inbound to the layer 3 vlan

interface vlan184 ip access-group RESTRICT-VLAN184-IN in

If anyone can help with this, it would be very much appreciated. Thanks in advance.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)