Solved

RSAT cannot reach server in DMZ - new Cisco ACLs

Posted on 2011-09-08
2
985 Views
Last Modified: 2012-08-13
So, I'm trying to remote administer a 2008 Core DNS server.  IT management subnet is 10.0.16.0/24 and the DMZ subnet is 10.0.98.0/24 for this example.

When I put the DNS server (which for this we'll call dns1.example.com) into a non-filtered subnet (ie, no ACLs) I can reach the server no problem with RSAT.

When I put it into the DMZ subnet, I can still do everything that I would expect to be able to do, but MMC cannot connect to the server.

Here's the kicker... I used the bazooka approach and added a generic allow for our IT dept subnet.  And it still doesn't work.

I've changed the subnets to be different from my actual network, but in the following code block you can see the ACLs applied to layer 3 (a cisco catalyst 2960)
 
config t
!
no access-list 2000
no access-list 2001
!
access-list 2000 permit udp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit udp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit tcp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255 
access-list 2000 permit tcp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
!
access-list 2001 permit udp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit udp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255 
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
!
int vlan 980
ip access-group 2000 out
ip access-group 2001 in
exit
!

Open in new window


The IT subnet is in this example, 10.0.16.0/24... as you can see, there is a permit IP for the entire subnet in each ACL for bidirectional traffic.

I'm obviously missing something, and it's probably painfully obvious, but I can't see it.

Edit:
nmap SYN and UDP scans both return results that I would expect to see, as well.
 
H:\>nmap -sS 10.0.98.29

Starting Nmap 5.51 ( http://nmap.org ) at 2011-09-08 11:02 Mountain Daylight Tim
e
Nmap scan report for dns1.example.com (10.0.98.29)
Host is up (0.00s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-term-serv
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49175/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds

Open in new window

0
Comment
Question by:lunanat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36506476
I see the allow all ip for IN:
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
ip access-group 2001 in

But NOT for the out:
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
ip access-group 2000 out

If the out traffic from this vlan is sourced from 10.0.16.0, then I think you need to try:
access-list 2000 permit ip 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
0
 
LVL 1

Author Closing Comment

by:lunanat
ID: 36511296
Second pair of eyes helps, thank you for noticing.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question