I'm having a nightmare with extended ACLs on a 3750G, I'm trying to lock down a particular VLAN (230) to only have SMB access to two places (10.1.6.0/24 and 10.1.0.15), to have windows updates from our WSUS server (10.1.0.21 TCP port 8530/8531), and to be able to use the local DNS servers. There are a few more proprietary ports that are also required too.
I also wanted ANY location on our lan to be able to SMB to hosts on VLAN 230, RDP access to be able to come from 10.1.2.0/24, and again for the proprietary ports to be able to get to a specified host (10.2.3.12) on VLAN 230.
I assumed I would need an ACL for IN and an ACL for OUT, in order to achieve the amount of restriction that I wanted to put in place. And so far I have the following:
access-list 110 was applied to int Vlan230 as "ip access-group 110 in" and access-list 111 was applied to int Vlan230 as "ip access-group 111 out".
However whilst I can still ping 10.2.3.12 from my machine (10.1.2.101), I can no longer RDP to it, which to me makes no sense. This shows that "access-list 110 permit icmp any any" is working fine but yet "access-list 110 permit tcp 10.1.2.0 0.0.0.255 10.2.3.12 0.0.0.0 eq 3389" seems to be doing nothing?
Where am I going wrong
halp!
I also wanted ANY location on our lan to be able to SMB to hosts on VLAN 230, RDP access to be able to come from 10.1.2.0/24, and again for the proprietary ports to be able to get to a specified host (10.2.3.12) on VLAN 230.
I assumed I would need an ACL for IN and an ACL for OUT, in order to achieve the amount of restriction that I wanted to put in place. And so far I have the following:
Code:
access-list 110 permit tcp any 10.2.3.12 0.0.0.0 eq 445
access-list 110 permit tcp 10.1.2.0 0.0.0.255 10.2.3.12 0.0.0.0 eq 3389
access-list 110 permit tcp any 10.2.3.12 0.0.0.0 eq 53
access-list 110 permit tcp any 10.2.3.12 0.0.0.0 eq 6400
access-list 110 permit udp any 10.2.3.12 0.0.0.0 eq 6400
access-list 110 permit tcp any 10.2.3.12 0.0.0.0 eq 5432
access-list 110 permit tcp any 10.2.3.12 0.0.0.0 eq 5100
access-list 110 permit udp any 10.2.3.12 0.0.0.0 eq 5100
access-list 110 permit tcp any 10.2.3.12 0.0.0.0 eq 5105
access-list 110 permit udp any 10.2.3.12 0.0.0.0 eq 5105
access-list 110 permit tcp 10.1.0.21 0.0.0.0 10.2.3.12 0.0.0.0 eq 8530
access-list 110 permit tcp 10.1.0.21 0.0.0.0 10.2.3.12 0.0.0.0 eq 8531
access-list 110 permit icmp any any
access-list 110 deny ip any any
Code:
access-list 111 permit tcp 10.2.3.0 0.0.0.255 10.1.6.0 0.0.0.255 eq 445
access-list 111 permit tcp 10.2.3.0 0.0.0.255 10.1.0.15 0.0.0.0 eq 445
access-list 111 permit tcp 10.2.3.12 0.0.0.0 10.1.2.0 0.0.0.255 eq 3389
access-list 111 permit tcp 10.2.3.12 0.0.0.0 any eq 53
access-list 111 permit tcp 10.2.3.12 0.0.0.0 any eq 6400
access-list 111 permit udp 10.2.3.12 0.0.0.0 any eq 6400
access-list 111 permit tcp 10.2.3.12 0.0.0.0 any eq 5432
access-list 111 permit tcp 10.2.3.12 0.0.0.0 any eq 5100
access-list 111 permit udp 10.2.3.12 0.0.0.0 any eq 5100
access-list 111 permit tcp 10.2.3.12 0.0.0.0 any eq 5105
access-list 111 permit udp 10.2.3.12 0.0.0.0 any eq 5105
access-list 111 permit tcp 10.2.3.12 0.0.0.0 10.1.0.21 0.0.0.0 eq 8530
access-list 111 permit tcp 10.2.3.12 0.0.0.0 10.1.0.21 0.0.0.0 eq 8531
access-list 111 permit icmp any any
access-list 111 deny ip any any
access-list 110 was applied to int Vlan230 as "ip access-group 110 in" and access-list 111 was applied to int Vlan230 as "ip access-group 111 out".
However whilst I can still ping 10.2.3.12 from my machine (10.1.2.101), I can no longer RDP to it, which to me makes no sense. This shows that "access-list 110 permit icmp any any" is working fine but yet "access-list 110 permit tcp 10.1.2.0 0.0.0.255 10.2.3.12 0.0.0.0 eq 3389" seems to be doing nothing?
Where am I going wrong

halp!