- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- 5406zl ACL config for a lab...issues
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2015 02:22 PM - edited 07-30-2015 02:22 PM
07-30-2015 02:22 PM - edited 07-30-2015 02:22 PM
I'm using a 5406 to set up a lab.
I only want to be able to ping and RDP from production (vlan 40) to the lab (vlan 10), and to only have access to a DNS server on vlan 40, and internet access, from the lab (vlan 10).
Here is my ACL config...
ip access-list extended "lab_in"
5 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 0
7 permit tcp 10.0.10.0 0.0.0.255 192.168.60.2 0.0.0.0 eq 53
8 permit udp 10.0.10.0 0.0.0.255 192.168.60.2 0.0.0.0 eq 53
10 deny ip 10.0.10.0 0.0.0.255 192.168.0.0 0.0.255.255
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip route 0.0.0.0 0.0.0.0 192.168.60.254
ip routing
vlan 10
name "VLAN10"
untagged B1-B24
ip access-group "lab_in" in
ip address 10.0.10.1 255.255.255.0
exit
vlan 40
name "VLAN40"
untagged A1
ip address 192.168.60.230 255.255.255.0
exit
As it stands, I can ping from vlan 40 to vlan 10 but I can't RDP from vlan 40 to vlan 10. I can access the internet and DNS from vlan 10, I can't access any resources on vlan 40 from vlan 10 (that's how I want it).
I added the following to the "lab_in" ACL, which didn't work (no RDP in either direction):
2 permit tcp 10.0.10.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
3 permit udp 10.0.10.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
I swapped source and destination around on those ACEs, and can RDP from vlan 10 to vlan 40 (not desired):
2 permit tcp 192.168.0.0 0.0.255.255 10.0.10.0 0.0.0.255 eq 3389
3 permit udp192.168.0.0 0.0.255.255 10.0.10.0 0.0.0.255 eq 3389
I removed ACE 2 and 3.
I created an new extended ACL "production_in" and added:
2 permit tcp 192.168.0.0 0.0.255.255 10.0.10.0 0.0.0.255 eq 3389
3 permit udp192.168.0.0 0.0.255.255 10.0.10.0 0.0.0.255 eq 3389
When I add ip access-group "production_in" in to vlan 40, then I lose ping from vlan 40 to vlan 10, RDP still doesn't work, and vlan 10 has no internet.
Just when I think I'm starting to wrap my mind around ACLs...
Solved! Go to Solution.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2015 09:32 AM
07-31-2015 09:32 AM
Re: 5406zl ACL config for a lab...issues
From an ACL perspective adding:
2 permit tcp 10.0.10.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
Should allow RDP from VLAN 10 to VLAN 40. Looking at the "lab_in" ACL you must be hitting ACE 10 which is denying all IP packets from 10.0.10.0/24 to 192.168.0.0/16. To debug I would use Wireshark and make sure the IP/port are what you think they are. Also, you can append the "log" keyword to the end of an ACE to see which rules are being hit. I would also check that RDP works as you expect with no ACLs applied just for sanity.
"Direction" will also matter. If wanting to be able to source the RDP session from either VLAN you will need to explicitly permit both. 3389 is the TCP destination port from the originating host, but the source port coming back from the remote client. So if you want to RDP from VLAN 40 with the ACL on VLAN 10 you'll have to add 3389 as a TCP source port.
As for the "production_in" ACL remember there is an impicit "deny all" at the end of every ACL. By adding "production_in" to VLAN 40 you are blocking everything except an RDP session from 192.168.0.0/16 to to 10.0.10.0/24 initiated on this VLAN. However, the return path (TCP source port 3389) will be blocked by the ACL on VLAN 10 so your RDP session will not be established.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2015 02:40 PM - edited 07-31-2015 02:41 PM
07-31-2015 02:40 PM - edited 07-31-2015 02:41 PM
Re: 5406zl ACL config for a lab...issues
Well...it kind of helps, but I'm still not getting it.
When I remove all access groups, I can RDP both ways (along with everything else), as expected.
And, yes, I can get RDP from vlan_10 to vlan_40 with "2 permit tcp 10.0.10.0/24 192.168.0.0/16 eq 3389" in the "lab_in" ACL, but I actually want it the other way around (RDP vlan_40 to vlan_10).
I removed the vlan_40 access-group "production_in" (doesn't that change vlan_40 to "permit any any"?), so that should allow tcp 3389 out to anywhere, right? Then I control access to vlan_40 (from vlan_10) with "access-group 'lab_in' in" on vlan_10.
I guess where I'm confused is, how do I permit RDP from one vlan to the other without permitting it both ways? Is that possible?
Just typing this is giving me a headache...I'm glad it's Friday!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2015 11:07 AM
08-03-2015 11:07 AM
SolutionOk, so if you want to permit RDP from VLAN 40 to VLAN 10 with the ACL applied on VLAN 10:
permit tcp 10.0.10.0/24 eq 3389 192.168.0.0/16
Because, in that direction, 3389 is the TCP source port. "Server" replies swap source & dest ports. RDP from VLAN 10 to 40 is blocked because that would be TCP dest port 3389.
Again, I would highly recommend using a packet capture app like Wireshark. Helps a lot when debugging ACLs...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2015 12:39 PM
08-03-2015 12:39 PM
Re: 5406zl ACL config for a lab...issues
That's what I needed, and my ACL lightbulb is starting to glow!
Friday was a bad day to be trying to figure this out, and looking at it now, it makes sense.
Thank you!!