Wednesday, October 21, 2020

Cisco extended ACL troubles

Using a Catalyst 9300. VLAN's for each department with a SVI for each. ACL's control 's VLAN communication as you might expect.

I thought I had a better understanding of this than I apparently do. I've learned most of what I know with regards to ACLs/VLANs from what was configured when I started working at this company. Tweaking things as needed. I'm a sysadmin that does "all the things".

I'm implementing "NAC" with dynamic VLAN assignment. This is working fine but I want to have partial access to the "holding/isolation" VLAN where machines are placed when not authenticated.

VLAN7 needs access to VLAN80 for ICMP, remote desktop or dameware. Basically if something goes wrong and we need remote access right now, as most of the office is still working from home. Helpdesk included.

VLAN7 - 10.10.7.0/24

VLAN80 - 10.10.80.0/24

So here's what I've got going on so far which all works as expected.

interface Vlan80

description IT HOLDING

ip address 10.10.80.1 255.255.255.0

ip helper-address 10.10.14.55

ip access-group VLAN-80 in

Extended IP access list VLAN-80

15 permit udp any any eq bootps

20 permit udp any any eq bootpc

30 permit icmp 10.10.80.0 0.0.0.255 10.10.7.0 0.0.0.255 echo-reply

35 permit icmp 10.10.80.0 0.0.0.255 10.100.7.0 0.0.0.255 echo-reply

90 deny ip any any

The machines get assigned an IP address from DHCP server without issue. They will also reply to a ping without issue.

What I cannot get to work or I'm not understanding how to make it work is to allow VLAN7 to RDP or Dameware in. Ports 3389 or 6129.

What permit's do I need for this and where do they need to be? I would assume something like.

permit tcp 10.10.7.0 0.0.0.255 eq 6129 10.10.80.0 0.0.0.255 eq 6129

This doesn't work at all in the ACL above. Can I even do that? VLAN7 source in the VLAN80 ACL? I'm having a hard time finding a simple answer to that question. I've also tried creating a VLAN-80-OUT outbound ACL with that permit line and I am still unable to connect. Actually in my testing it wasn't a specific port, but a permit ip 10.10.7.0.

Is there a simple solution I'm missing here? Did I leave something out? Is this even possible? Apologies as this is not my area of expertise but I've been messing with it off an on for two days and it's become increasingly frustrating.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)