C3560 Freakout on access-list!

[jlmdata]

Hi!

This is driving me nuts, hopefully someone can clear things up here..


I have set up 4 vlans, each vlan is a customer network, using the 3560 as default gateway.

Customers should be able to talk eachother BUT only through ports (tcp) , like smtp, www, https, dns, ftp....
Im controlling this by access-lists.

Now here is the config :
(permit ip any any, is there because they must be able to use internet)

interface Vlan11
ip address 172.16.11.1 255.255.255.0
ip access-group whiskey out
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
ip access-group lollipop out
!
interface Vlan8
ip address 172.16.8.1 255.255.255.0
ip access-group cheddar out
!
interface Vlan192
ip address 192.168.192.1 255.255.255.0
ip access-group popcorn out
!


ip access-list extended popcorn
permit ip 192.168.192.0 0.0.0.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp

http://www 443

ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!

ip access-list extended cheddar
permit ip 172.16.8.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp

http://www 443

ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp

http://www 443

ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!

ip access-list extended lollipop
permit ip 172.16.10.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp

http://www 443

ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp

http://www 443

ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!

ip access-list extended whiskey
permit ip 172.16.11.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp

http://www 443

ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp

http://www 443

ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!

Customer Whiskey should be albe to surf to Popcorns webserver. Customer Popcorn should be able to surf to Whiskeys webserver, all neq ports should be open to everyone!

The lists should be as dynamic as possible, for future customers.

Any super ideas?

 

[burtsbees]

Please post the vlan ip addresses/subnets. I have the strange feeling that your acl's could be pointing the wrong way, and therefore are not written correctly...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

I'm an idiot...gimme a minute...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Yup---change all to ip access-group whatever in.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[jlmdata]

Hi!

Thanks for your help, but when I change groups to IN, there is no limit at all, all tcp ports are open hmm ?

Maybe you can write me an example?
Only specified ports should be open between networks 192.168.192.0 and 172.16.0.0, all other networks (internet) should be open.

Access-lists for these two.

interface Vlan8
ip address 172.16.8.1 255.255.255.0
ip access-group cheddar in

interface Vlan192
ip address 192.168.192.1 255.255.255.0
ip access-group popcorn in

 

[burtsbees]

I was assuming I knew what subnet belonged to whom...could you tell us? Like vlan 8=cheddar, etc.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[NetRx]

Think of the VLANs as interfaces when it applies to an ACL. So when you define traffic such as 'ip access-group popcorn out' on Vlan 8, this effectively means:
Inbound traffic originated from any other interface other than VLAN 8 destined to VLAN 8 is filtered by this ACL.

I'll give an example if that isn't clear:

ip access-list extended cheddar
 permit tcp host 4.2.2.2 172.16.8.0 0.0.0.255 www
 
interface Vlan8
ip address 172.16.8.1 255.255.255.0
ip access-group cheddar out

The ACL above means only the host 4.2.2.2 has

http://WWW access

to 172.16.8.0/24. Everything else destined to 172.16.8.0/24 is dropped. Now onto your specific ACLs...I'll provide some examples of how you could configure things:

 /Permitting Whiskey (172.16.11.0/24?) to surf Popcorn (192.168.192.0/24?)/
 ------------------------------------------------------------------------- 
 
 ip access-list extended popcorn
 permit tcp 172.16.11.0 0.0.0.255 192.168.192.0 0.0.0.255 eq smtp [URL unfurl="true"]www 443[/URL] ftp
 permit udp 172.16.11.0 0.0.0.255 192.168.192.0 0.0.0.255 eq ntp
 
 interface Vlan192
 ip address 192.168.192.1 255.255.255.0
 ip access-group popcorn out
 
 /Permitting Popcorn (192.168.192.0/24?) to surf Whiskey (172.16.11.0/24?)/
 -------------------------------------------------------------------------   
 
 ip access-list extended whiskey
 permit tcp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 eq smtp [URL unfurl="true"]www 443[/URL] ftp
 permit udp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 eq ntp
 
 interface Vlan11
 ip address 172.16.11.1 255.255.255.0
 ip access-group whiskey out

Like Burt said, I'm assuming here that Vlan 192 belongs to Popcorn and 11 to Whiskey. Descriptions would help.

However, those ACLs should give you a start. Also note that all traffic sourced from an a VLAN out to a resource on the web is not filtered. Let me know if you have any questions and I hope that helps to clarify.

 

[jlmdata]

This seems to work between the networks! Thanks alot for your help!

But, internet traffic from outside are not allowed to surf Whiskey webserver?
I had to put "permit ip any any" on the access-list and now all rules are broken because of that.

Thats why I used the neq port command. How can I come around this?

ip access-list extended whiskey
permit tcp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 eq smtp

http://www 443

ftp
permit udp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 eq ntp
permit ip any any (internet visitors)

interface Vlan11
ip address 172.16.11.1 255.255.255.0
ip access-group whiskey out

 

[jlmdata]

The reason why I want internet visitors to have "permit ip any any" is because the firewall infront of the Cisco 3560, ASA 5510 will be used to configure public IP access rules.

 

[NetRx]

Using the ASA would be a nice option fyi. You could set all your hosts to use that as the default gateway and still define VLANs/subinterfaces on it. Not sure if you have already thought about doing that or if it isn't feasible.

Back to your ACLs though. Unless I'm missing something, all you need to add is this:

ip access-list extended whiskey
 permit tcp any 172.16.11.0 0.0.0.255 eq [URL unfurl="true"]www (OUTSIDE[/URL] WEB IN)

You could still use your original ACLs with the DENY statements, although it's a bit tough to read IMO:

ip access-list extended whiskey
 deny tcp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 neq smtp [URL unfurl="true"]www 443[/URL] ftp
 deny udp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 neq ntp
 deny icmp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 
 deny tcp 172.16.8.0 0.0.0.255 172.16.11.0 0.0.0.255 neq smtp [URL unfurl="true"]www 443[/URL] ftp
 deny udp 172.16.8.0 0.0.0.255 172.16.11.0 0.0.0.255 neq ntp
 deny icmp 172.16.8.0 0.0.0.255 172.16.11.0 0.0.0.255
 deny tcp 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 neq smtp [URL unfurl="true"]www 443[/URL] ftp
 deny udp 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 neq ntp
 deny icmp 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255
 permit ip 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255
 permit ip 172.16.8.0 0.0.0.255 172.16.11.0 0.0.0.255
 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255
 permit tcp any 172.16.11.0 0.0.0.255 eq [URL unfurl="true"]www (OUTSIDE[/URL] WEB IN)
 
interface Vlan11
 ip address 172.16.11.1 255.255.255.0
 ip access-group whiskey out
 
Simpler method?
-------------
ip access-list extended whiskey
 deny tcp any 172.16.11.0 0.0.0.255 neq smtp [URL unfurl="true"]www 443[/URL] ftp
 deny udp any 172.16.11.0 0.0.0.255 neq ntp
 deny icmp any 172.16.11.0 0.0.0.255
 permit ip any 172.16.11.0 0.0.0.255
interface Vlan11
 ip address 172.16.11.1 255.255.255.0
 ip access-group whiskey out

Just note that the simpler method allows anyone from the outside FTP, SSL, SMTP, NTP access to your servers. You could lock down the ports from the outside further by using a deny tcp any eq <protocol> statement. Make sure the deny statement is above the 'permit ip any 172.16.11.0 0.0.0.255' of course.

Cisco gives you plenty of options to achive the same end-result, that's for sure. Let me know if you have any questions.

Rich
Network Engineer - CCNA

 

[NetRx]

One more thing I wanted to mention: Permit statements, as opposed to deny with neq, are much better for growth down the road.

Let's suppose that you want to add a new SQL server and open up port 1521 access between two subnets. With the 'deny neq' lines, you will need to remove the NEQ ACE, then re-add it back with a 1521 entry. But what if you only wanted to allow one host 1521 access to the server? With the NEQ statements, you are going to have to squish an entry at the top of everything else permitting access. You might be able to get away with this for a few entries but you will have difficulty when you start to encroach on the NEQ lines. Alternatively, you could enter a host entry above the 'permit ip <subnet>' statements (after you edited the NEQ) but another engineer may wonder why that line is there.

To keep this short, you can prevent headaches by simplifying your ACLs with permit statements that explicitly permit traffic and let the 'deny any any' at the bottom of the ACL do the bulk of the work. The 'deny neq' will work but is tough to decipher and even tougher when you need to expand.

 

[jlmdata]

Hi NetRx!

Thanks alot for your work!

The last "simpler method" seems good.

Ive tried the example but internet visitors can only access these specific ports "neq smtp

http://www 443

ftp". If I add 3389 I can RDP into the machine from the internet. Because I have allowed RDP on the asa 5510 to that inside network. But that means, all networks on the inside can rdp in aswell. And then the access-lists on the asa 5510 is useless.

Even if this line is below, permit ip any 172.16.11.0 0.0.0.255. I need to specify ports on the neq command.

Any workaround?

I want internet visitors (outside) to access all tcp ports on the Cisco 3560, ill limit the internet tcp ports on the asa 5510.

 

[NetRx]

ip access-list extended whiskey
 permit tcp host <your external IP address> 172.16.11.0 0.0.0.255 eq 3389
 permit tcp host <your internal IP address> 172.16.11.0 0.0.0.255 eq 3389
 deny tcp any 172.16.11.0 0.0.0.255 neq smtp [URL unfurl="true"]www 443[/URL] ftp
 deny udp any 172.16.11.0 0.0.0.255 neq ntp
 deny icmp any 172.16.11.0 0.0.0.255
 permit ip any 172.16.11.0 0.0.0.255
interface Vlan11
 ip address 172.16.11.1 255.255.255.0
 ip access-group whiskey out

You have to put the 3389 ports above everything else, so you might need to enter this to get it above:

ip access-list extended whiskey
 line 1 permit tcp host <your internal IP address> 172.16.11.0 0.0.0.255 eq 3389

Again, I would recommend switching to an ACL with standard permit statements instead of the NEQ specifically because of this reason.

 

[jlmdata]

Hi NetRx!

I would like to have a access-list as clean as possible.

ip access-list extended whiskey
permit tcp ?outside 172.16.0.0 0.0.255.255
permit udp ?outside 172.16.0.0 0.0.255.255
permit icmp ?outside 172.16.0.0 0.0.255.255
deny tcp any 172.16.0.0 0.0.255.255 neq smtp

http://www 443

ftp
deny udp any 172.16.0.0 0.0.255.255 neq ntp
deny icmp any 172.16.0.0 0.0.255.255

This is how I would like it to be, but the permit statement in the upperpart overrides the underpart.

The upperpart outside should reflect all other hosts like 0.0.0.0-171.0.0.0 and 172.0.0.0-172.15.0.0 and 172.17.0.0-192.167.0.0 and 192.169.0.0-255.255.255.255. Is there a permit command that allow traffic from NOT inside?

Thanks alot for your time!

 

[jlmdata]

I think Ive solved it!

This must work :


ip access-list extended whiskey
permit ip 172.16.11.0 0.0.0.255 172.16.0.0 0.0.255.255
deny tcp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 neq smtp

http://www 443

ftp
deny udp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 neq ntp
deny icmp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny tcp 192.168.192.0 0.0.0.255 172.16.0.0 0.0.255.255 neq smtp

http://www 443

ftp
deny udp 192.168.192.0 0.0.0.255 172.16.0.0 0.0.255.255 neq ntp
deny icmp 192.168.192.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip any any


Now 192.168.192 cannot rdp 3389 to 172.16.11 for example
But 192.168.192 can reach the webserver port 80 on 172.16.11

And I can talk to the webserver 172.16.11 and rdp from outside any computer, seems right?

Thanks!

 

[NetRx]

Hey jlm,

You have to explicitly permit the RDP traffic first before it hits your NEQ statements. The example I'm posting below will work. Remember that if you want to allow any additional ports, you will need to place them above NEQ or add them to NEQ:

ip access-list extended whiskey
 permit tcp host <your external IP address> 172.16.11.0 0.0.0.255 eq 3389
 permit tcp host <your internal IP address> 172.16.11.0 0.0.0.255 eq 3389
 deny tcp any 172.16.11.0 0.0.0.255 neq smtp [URL unfurl="true"]www 443[/URL] ftp
 deny udp any 172.16.11.0 0.0.0.255 neq ntp
 deny icmp any 172.16.11.0 0.0.0.255
 permit ip any 172.16.11.0 0.0.0.255

Now where I have <your external/internal IP address>, simply enter your computer's public or private IP address. You are making a host entry in the ACL.

This is what I would prefer:

ip access-list extended whiskey
 permit tcp host <your external IP address> 172.16.11.0 0.0.0.255 eq 3389
 permit tcp host <your internal IP address> 172.16.11.0 0.0.0.255 eq 3389
 permit tcp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 eq smtp [URL unfurl="true"]www 443[/URL] ftp
 permit udp 192.168.192.0 0.0.0.255 172.16.11.0 0.0.0.255 eq ntp
 permit tcp 172.16.8.0 0.0.0.255 172.16.11.0 0.0.0.255 eq smtp [URL unfurl="true"]www 443[/URL] ftp
 permit udp 172.16.8.0 0.0.0.255 172.16.11.0 0.0.0.255 eq ntp
 permit tcp 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 eq smtp [URL unfurl="true"]www 443[/URL] ftp
 permit udp 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 eq ntp
 permit tcp any 172.16.11.0 0.0.0.255 eq www

The implicit deny any any at the bottom will block all other traffic that isn't explicitly permitted.

Rich
Network Engineer - CCNA

 

[jlmdata]

As I was sure my problems where gone, a new problem appeard.

When creating the access-list for popcorn :

ip access-list extended popcorn
deny tcp 172.16.0.0 0.0.255.255 192.168.192.0 0.0.0.255 neq smtp

http://www 443

ftp 20
deny udp 172.16.0.0 0.0.255.255 192.168.192.0 0.0.0.255 neq ntp
deny icmp 172.16.0.0 0.0.255.255 192.168.192.0 0.0.255.255

permit ip any any

I can no longer access 172.16.11 webserver from 192.168.192.
And I was hoping for be able to reach 192.168.192 webserver from 172.16.11, but that doesnt work either ?? I believe this might have something to do with ports coming back is not port 80 when they are being translated???

I soon as I delete access-list extended popcorn, its back to the previous post i made.

 

[jlmdata]

Hi, by this line :
permit tcp host <your external IP address> 172.16.11.0 0.0.0.255 eq 3389

do you mean the external ip of the rdpserver? or a computer on the outside? (internet) ?

The problem is that I want everyone on the outside, any computer to reach the rdpserver. That would mean 100000 lines of permit ?

 

[jlmdata]

To make things easier I can explan how the flow and traffic should work.


On top, ASA 5510, 192.168.3.2
Under, Cisco 3560, 192.168.3.3

Asa 5510,

Here I set access-lists for public access like 3389 25 80 etc..and static (inside,outside) for each customer.

Creating Routes inside for each customer lan.

172.16.8.0 to Cisco 3560
172.16.10.0 to Cisco 3560
172.16.11.0 to Cisco 3560
192.168.192.0 to Cisco 3560



Cisco 3560

Here I create vlans for each customer and set access-list between them.
Because of a function error in the ASA, customers cannot communicate between their public ip adresses.
So I use dnsrewrite on asa, that means if a customer wants to talk to another customer email server
the ip is being translated to inside address instead of outside address. This way they can communicate without any problem.

Now comes the hard part, access-lists on the c3560.

Customers should be able to access standard ports like 80 21 443 20 25 between other customers (inside)
They should not be able to ping or access through windows share, or rdp......between other customers (inside)
There should be no restriction on their own vlan, fully open tcp ports.
From the outside (internet), there should be no access-list restrictions on the C3560, this is because Im setting outside rules on the ASA5510.

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
!
hostname C3560SW01
!
!
username
aaa new-model
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name inside.local
!
cluster enable C3560SW01 0
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3,8,192,10,11
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 192
switchport mode access
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/3
switchport access vlan 192
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/5
!
switchport access vlan 11
switchport mode access
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
!
interface Vlan3
ip address 192.168.3.3 255.255.255.0
!
interface Vlan8
ip address 172.16.8.1 255.255.255.0
ip access-group whiskey out
!
interface Vlan192
ip address 192.168.192.1 255.255.255.0
ip access-group popcorn out
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
ip access-group cheddar out
!
interface Vlan11
ip address 172.16.11.1 255.255.255.0
ip access-group mario out
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.2
ip http server
ip http secure-server
!
ip access-list extended whiskey
permit ip 172.16.8.0 0.0.0.255 172.16.0.0 0.0.255.255
deny tcp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 neq smtp

http://www 443

ftp ftp-data
deny udp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 neq ntp
deny icmp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny tcp 192.168.192.0 0.0.0.255 172.16.0.0 0.0.255.255 neq smtp

http://www 443

ftp ftp-data
deny udp 192.168.192.0 0.0.0.255 172.16.0.0 0.0.255.255 neq ntp
deny icmp 192.168.192.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip any any
!
snmp-server community public RO
snmp-server community public@es0 RO
radius-server source-ports 1645-1646
!
control-plane