3750 ACL help

[rbjohnson78]

Long story short. My boss wanted me to take some routes out of the switch to free up some public IP addresses. It's been a while since I've worked on a Cisco switch, but now I'm not sure how to make our ACL's work again. the config is below...

Also, just a quick rundown on how it is setup. We are using the ISP as the gateway, which we will say is 16.66.77.161, and this is off of port 23. Off of port 24 is our firewall, which it's IP is 16.66.77.166, and our internal (private) IP range is 192.18.0.0. Let me know if you need anymore info than this, but this is the just of it.

3750X-24T#show run
Building configuration...

Current configuration : 9095 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname 3750X-24T
!
boot-start-marker
boot-end-marker
!
enable secret 5 ----------------------
!
username ---- secret 5 ---------------
!
!
aaa new-model
!
!
aaa authentication login default local
--More--  !
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c3750x-24
system mtu routing 1500
authentication mac-move permit
!
!
no ip domain-lookup
ip domain-name software.com
vtp mode transparent
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
--More--  !
!
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
vlan 5
name DMZ
!
ip ssh time-out 30
ip ssh authentication-retries 5
ip ssh version 2
!
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet1/0/1
description DMZ
switchport access vlan 5
--More--   switchport mode access
!
interface GigabitEthernet1/0/2
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/3
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/4
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/5
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/6
--More--   description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/7
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/8
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/9
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/10
description DMZ
switchport access vlan 5
switchport mode access
--More--  !
interface GigabitEthernet1/0/11
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/12
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/13
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/14
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/15
description DMZ
--More--   switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/16
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/17
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/18
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/19
description DMZ
switchport access vlan 5
switchport mode access
!
--More--  interface GigabitEthernet1/0/20
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/23
description INTERNET
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/24
description WATCHGUARD FIREWALL PORT 0
switchport access vlan 5
switchport mode access
!
--More--  interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
description DO NOT USE
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
shutdown
!
interface Vlan5
description DMZ
--More--   ip address 16.66.77.177 255.255.255.224
ip access-group DMZ-IN in
ip access-group DMZ-OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
!
ip default-gateway 16.66.77.161
ip classless
ip route 0.0.0.0 0.0.0.0 16.66.77.161
no ip http server
no ip http secure-server
!
ip access-list extended DMZ-IN
remark ACL RULES ON TRAFFIC FROM DMZ SERVERS
remark ALLOW ALL OUTBOUND TRAFFIC FROM DMZ SERVERS
permit ip any any
ip access-list extended DMZ-OUT
remark PERMIT ICMP TRAFFIC
permit icmp any 16.66.77.176 0.0.0.15
remark ACL RULES ON TRAFFIC TO DMZ SERVERS
remark ALLOW ESTABLISHED TCP TRAFFIC
--More--   permit tcp any 16.66.77.176 0.0.0.15 established
permit udp any host 16.66.77.178 gt 1024
permit tcp any any eq 1433
permit udp any any eq 1434
permit esp any any
permit udp any any eq isakmp
permit gre any any
permit tcp any host 16.66.77.178 gt 1024
permit tcp host 16.66.77.166 host 16.66.77.179 eq www
permit tcp 8.178.59.240 0.0.0.3 host 16.66.77.179 eq www
permit tcp 73.160.120.16 0.0.0.3 host 16.66.77.179 eq www
permit tcp any host 16.66.77.179 gt 1024
permit udp any host 16.66.77.179 gt 1024
permit tcp 73.160.120.16 0.0.0.3 host 16.66.77.180 eq www
permit tcp host 16.66.77.166 host 16.66.77.180 eq www
permit tcp 8.178.59.240 0.0.0.3 host 16.66.77.180 eq www
permit tcp any host 16.66.77.185 eq 1755
permit udp any host 16.66.77.185 eq 1755
permit udp any host 16.66.77.185 eq 5005
permit tcp any host 16.66.77.185 eq 5005
permit udp any host 16.66.77.182 eq 1719
permit tcp any host 16.66.77.182 eq 1720
permit tcp any host 16.66.77.182 gt 49151
--More--   permit udp any host 16.66.77.182 gt 49151
permit tcp any host 16.66.77.183 gt 49151
permit udp any host 16.66.77.183 gt 49151
permit tcp any host 16.66.77.184 eq telnet
permit udp any host 16.66.77.179 eq 1719
permit udp any host 16.66.77.179 eq snmp
permit tcp any host 16.66.77.179 eq 1720
permit tcp any host 16.66.77.179 eq 5060
permit tcp any host 16.66.77.179 eq 1755
permit tcp any host 16.66.77.179 eq 554
permit tcp any host 16.66.77.179 eq ftp
permit udp any host 16.66.77.179 eq 5060
permit tcp host 16.66.77.166 host 16.66.77.184 eq 443
permit tcp host 73.160.120.17 host 16.66.77.184 eq 443
permit tcp host 73.160.120.17 host 16.66.77.184 eq www
permit tcp host 16.66.77.166 host 16.66.77.184 eq www
permit tcp host 73.160.120.17 host 16.66.77.184 eq 554
permit tcp any host 16.66.77.184 range 10000 10200
permit udp any host 16.66.77.184 range 15000 16000
permit tcp host 16.66.77.166 host 16.66.77.186 eq 22
permit tcp host 73.160.120.17 host 16.66.77.186 eq 22
permit tcp any host 16.66.77.186 eq 1720
permit udp any host 16.66.77.186 eq 1719
--More--   permit udp any host 16.66.77.186 range 50000 60000
permit tcp any host 16.66.77.186 range 30000 60000
permit tcp any host 16.66.77.186 eq 1935
permit tcp host 16.66.77.166 host 16.66.77.186 eq 9000
permit tcp host 73.160.120.17 host 16.66.77.186 eq 9000
permit udp any host 16.66.77.186 eq 11935
permit tcp any host 16.66.77.186 eq 5060
permit udp any host 16.66.77.186 eq 5060
permit tcp any host 16.66.77.186 eq domain
permit udp any host 16.66.77.186 eq domain
permit tcp host 16.66.77.166 host 16.66.77.185 eq www
permit tcp host 16.66.77.166 host 16.66.77.185 eq 443
permit tcp host 73.160.120.17 host 16.66.77.185 eq www
permit tcp host 73.160.120.17 host 16.66.77.185 eq 443
permit tcp host 8.8.8.8 host 16.66.77.186 gt 1023
permit udp host 8.8.8.8 host 16.66.77.186 gt 1023
deny ip any any log
ip access-list extended dmz-out
!
ip sla enable reaction-alerts
access-list 1 permit 16.66.77.166
access-list 1 permit 192.18.0.0 0.0.255.255
access-list 2 permit 16.66.77.166
--More--  access-list 2 permit 192.18.0.0 0.0.255.255
access-list 3 permit 16.66.77.166
access-list 3 permit 192.18.0.0 0.0.255.255
snmp-server community wadz15kG RO 2
snmp-server community WkI4k9Nc RW 3
!

!
line con 0
exec-timeout 30 0
logging synchronous
line vty 0 4
access-class 1 in
exec-timeout 30 0
logging synchronous
transport input ssh
line vty 5 15
access-class 1 in
exec-timeout 30 0
logging synchronous
transport input ssh
!
end

3750X-24T#

 

[unclerico]

why are you doing this on your switch?? you really should put another firewall in this design. at any rate, it will be tough to give you any recommendations or provide you with any solutions without knowing which IP's you want removed from this configuration.


I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[rbjohnson78]

Wasn't my decision. They told me to take the routing out so they could gain more IP's. I advised against it, but they wanted it done anyways. So, i was looking to see if there was a way to keep these existing ACL's in place without putting the routing back into place. I read you can do VLAN ACL's but not sure how I would apply it to this config, if it is at all possible.

To answer your question, were not looking to remove any of the these IP's in the config. Just trying to figure out how we can apply these ACL rules again. Hope that makes sense.

 

[rbjohnson78]

Anyone? Thoughts?

 

[SweetRevelation]

I'm not certain I fully understand what you are asking. I assume your network is setup like:
FW -> Internal Network
ISP ->
3750 -> DMZ Network

Correct?

You stated that you wanted to "take some routes out of the switch to free up some public IP addresses". What routes are you talking about?

We should be able to help but I think we need more specific information about what you're trying to accomplish.

 

[rbjohnson78]

I already took the routes out. port 23 used to have an IP and so did port 24, but now all ports are part of the same vlan. And as of right now the ISP is used as the default gateway. So what my employers would like, is to keep the config the same but still be able to use the existing ACL's. Maybe this isn't possible, but thought I would see what kind of suggestions the experts would have. Thanks for the help! And let me know if you need anymore info.

 

[rbjohnson78]

Is there a way to still apply the ACL's the way it is setup?

 

[VinceWhirlwind]

The answer is no.

ACLs are used at layer3.

At this stage, I can't see that this switch performs any layer3 function, so you have nothing to apply the ACLs to.

You have effectively put your DMZ outside your firewall. Like this:
ISP
/ FW DMZ

This is truly awful - you're just asking to be hacked and to have your bandwidth stolen by Russians.

I assume what was happening in the past was that the switch was routing between three subnets: the ISP subnet, DMZ subnet, the FW subnet.
You had ACLs to provide the semblance of protection against hacking.

A proper design should have
ISP
|
|
FIREWALL ---- DMZ
|
|
LAN

To do this, you need:
1. Turn off IP routing on your switch. It's not only not needed, it's a risk.
2. Move ports 23 & 24 into a new VLAN (say VLAN100)
3. re-address the FW "outside" and ISP interfaces to a pair of new IP addresses that are in the same subnet.

What's happening here is that your employer is exposing your company to some serious risk through using underqualified staff to poorly design & perform changes to the network causing security issues. You need to tell your employer that they need to hire a network consultatn to design this properly so that you at least have a chance of implementing something acceptable.

 

[rbjohnson78]

One other question...

I read that acl's can be port based. Can i apply these acl's to a single port?

 

[Rouky]

Indeed, ACLs are port based.

With the interface F0/0, you could put one ACL to IN (and only 1), and one ACL to OUT.

If you work with inbound ACL "toto", you can apply it on F0/0 but also on f0/1 or more interfaces.

Port based = the rules must be applied on the interface (one rule could be applied on several interfaces).