HPE Community
Aruba & ProVision-based
1751975 Members
4620 Online
108784 Solutions
New Discussion юеВ

Re: 5406zl ACL config for a lab...issues

 
SOLVED
Go to solution
awall
Occasional Contributor

тАО07-30-2015 02:22 PM - edited тАО07-30-2015 02:22 PM

тАО07-30-2015 02:22 PM - edited тАО07-30-2015 02:22 PM

5406zl ACL config for a lab...issues

I'm using a 5406 to set up a lab.

I only want to be able to ping and RDP from production (vlan 40) to the lab (vlan 10), and to only have access to a DNS server on vlan 40, and internet access, from the lab (vlan 10).

Here is my ACL config...

 

ip access-list extended "lab_in"
5 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 0
7 permit tcp 10.0.10.0 0.0.0.255 192.168.60.2 0.0.0.0 eq 53
8 permit udp 10.0.10.0 0.0.0.255 192.168.60.2 0.0.0.0 eq 53
10 deny ip 10.0.10.0 0.0.0.255 192.168.0.0 0.0.255.255
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit


ip route 0.0.0.0 0.0.0.0 192.168.60.254
ip routing

vlan 10

name "VLAN10"
untagged B1-B24
ip access-group "lab_in" in
ip address 10.0.10.1 255.255.255.0
exit


vlan 40
name "VLAN40"
untagged A1
ip address 192.168.60.230 255.255.255.0
exit

 

As it stands, I can ping from vlan 40 to vlan 10 but I can't RDP from vlan 40 to vlan 10. I can access the internet and DNS from vlan 10, I can't access any resources on vlan 40 from vlan 10 (that's how I want it).

 

I added the following to the "lab_in" ACL, which didn't work (no RDP in either direction):

2 permit tcp 10.0.10.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389

3 permit udp 10.0.10.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389

 

I swapped source and destination around on those ACEs, and can RDP from vlan 10 to vlan 40 (not desired):

2 permit tcp 192.168.0.0 0.0.255.255 10.0.10.0 0.0.0.255 eq 3389

3 permit udp192.168.0.0 0.0.255.255 10.0.10.0 0.0.0.255 eq 3389

 

I removed ACE 2 and 3.

 

I created an new extended ACL "production_in" and added:

2 permit tcp 192.168.0.0 0.0.255.255 10.0.10.0 0.0.0.255 eq 3389

3 permit udp192.168.0.0 0.0.255.255 10.0.10.0 0.0.0.255 eq 3389

 

When I add ip access-group "production_in" in to vlan 40, then I lose ping from vlan 40 to vlan 10, RDP still doesn't work, and vlan 10 has no internet.

 

Just when I think I'm starting to wrap my mind around ACLs...

0 Kudos
4 REPLIES 4
Michael Patmon
Trusted Contributor

тАО07-31-2015 09:32 AM

тАО07-31-2015 09:32 AM

Re: 5406zl ACL config for a lab...issues

From an ACL perspective adding:
2 permit tcp 10.0.10.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389

 

Should allow RDP from VLAN 10 to VLAN 40.  Looking at the "lab_in" ACL you must be hitting ACE 10 which is denying all IP packets from 10.0.10.0/24 to 192.168.0.0/16. To debug I would use Wireshark and make sure the IP/port are what you think they are. Also, you can append the "log" keyword to the end of an ACE to see which rules are being hit. I would also check that RDP works as you expect with no ACLs applied just for sanity.

 

"Direction" will also matter. If wanting to be able to source the RDP session from either VLAN you will need to explicitly permit both. 3389 is the TCP destination port from the originating host, but the source port coming back from the remote client. So if you want to RDP from VLAN 40 with the ACL on VLAN 10 you'll have to add 3389 as a TCP source port.

 

As for the "production_in" ACL remember there is an impicit "deny all" at the end of every ACL. By adding "production_in" to VLAN 40 you are blocking everything except an RDP session from 192.168.0.0/16 to to 10.0.10.0/24 initiated on this VLAN. However, the return path (TCP source port 3389) will be blocked by the ACL on VLAN 10 so your RDP session will not be established.

 

Hope that helps.

0 Kudos
awall
Occasional Contributor

тАО07-31-2015 02:40 PM - edited тАО07-31-2015 02:41 PM

тАО07-31-2015 02:40 PM - edited тАО07-31-2015 02:41 PM

Re: 5406zl ACL config for a lab...issues

Well...it kind of helps, but I'm still not getting it.

When I remove all access groups, I can RDP both ways (along with everything else), as expected.

And, yes, I can get RDP from vlan_10 to vlan_40 with "2 permit tcp 10.0.10.0/24 192.168.0.0/16 eq 3389" in the "lab_in" ACL, but I actually want it the other way around (RDP vlan_40 to vlan_10).

 

I removed the vlan_40 access-group "production_in" (doesn't that change vlan_40 to "permit any any"?), so that should allow tcp 3389 out to anywhere, right? Then I control access to vlan_40 (from vlan_10) with "access-group 'lab_in' in" on vlan_10.

I guess where I'm confused is, how do I permit RDP from one vlan to the other without permitting it both ways? Is that possible?

 

Just typing this is giving me a headache...I'm glad it's Friday!

0 Kudos
Michael Patmon
Trusted Contributor

тАО08-03-2015 11:07 AM

тАО08-03-2015 11:07 AM

Solution

Re: 5406zl ACL config for a lab...issues

Ok, so if you want to permit RDP from VLAN 40 to VLAN 10 with the ACL applied on VLAN 10:
permit tcp 10.0.10.0/24 eq 3389 192.168.0.0/16

 

Because, in that direction, 3389 is the TCP source port.  "Server" replies swap source & dest ports.  RDP from VLAN 10 to 40 is blocked because that would be TCP dest port 3389.

 

Again, I would highly recommend using a packet capture app like Wireshark.  Helps a lot when debugging ACLs...

0 Kudos
awall
Occasional Contributor

тАО08-03-2015 12:39 PM

тАО08-03-2015 12:39 PM

Re: 5406zl ACL config for a lab...issues

That's what I needed, and my ACL lightbulb is starting to glow!

Friday was a bad day to be trying to figure this out, and looking at it now, it makes sense.

Thank you!!

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.