Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

RSAT cannot reach server in DMZ - new Cisco ACLs

Posted on 2011-09-08
2
Medium Priority
?
1,030 Views
Last Modified: 2012-08-13
So, I'm trying to remote administer a 2008 Core DNS server.  IT management subnet is 10.0.16.0/24 and the DMZ subnet is 10.0.98.0/24 for this example.

When I put the DNS server (which for this we'll call dns1.example.com) into a non-filtered subnet (ie, no ACLs) I can reach the server no problem with RSAT.

When I put it into the DMZ subnet, I can still do everything that I would expect to be able to do, but MMC cannot connect to the server.

Here's the kicker... I used the bazooka approach and added a generic allow for our IT dept subnet.  And it still doesn't work.

I've changed the subnets to be different from my actual network, but in the following code block you can see the ACLs applied to layer 3 (a cisco catalyst 2960)
 
config t
!
no access-list 2000
no access-list 2001
!
access-list 2000 permit udp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit udp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit tcp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255 
access-list 2000 permit tcp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
!
access-list 2001 permit udp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit udp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255 
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
!
int vlan 980
ip access-group 2000 out
ip access-group 2001 in
exit
!

Open in new window


The IT subnet is in this example, 10.0.16.0/24... as you can see, there is a permit IP for the entire subnet in each ACL for bidirectional traffic.

I'm obviously missing something, and it's probably painfully obvious, but I can't see it.

Edit:
nmap SYN and UDP scans both return results that I would expect to see, as well.
 
H:\>nmap -sS 10.0.98.29

Starting Nmap 5.51 ( http://nmap.org ) at 2011-09-08 11:02 Mountain Daylight Tim
e
Nmap scan report for dns1.example.com (10.0.98.29)
Host is up (0.00s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-term-serv
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49175/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds

Open in new window

0
Comment
Question by:lunanat
2 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 36506476
I see the allow all ip for IN:
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
ip access-group 2001 in

But NOT for the out:
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
ip access-group 2000 out

If the out traffic from this vlan is sourced from 10.0.16.0, then I think you need to try:
access-list 2000 permit ip 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
0
 
LVL 1

Author Closing Comment

by:lunanat
ID: 36511296
Second pair of eyes helps, thank you for noticing.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question