Solved

RSAT cannot reach server in DMZ - new Cisco ACLs

Posted on 2011-09-08
2
944 Views
Last Modified: 2012-08-13
So, I'm trying to remote administer a 2008 Core DNS server.  IT management subnet is 10.0.16.0/24 and the DMZ subnet is 10.0.98.0/24 for this example.

When I put the DNS server (which for this we'll call dns1.example.com) into a non-filtered subnet (ie, no ACLs) I can reach the server no problem with RSAT.

When I put it into the DMZ subnet, I can still do everything that I would expect to be able to do, but MMC cannot connect to the server.

Here's the kicker... I used the bazooka approach and added a generic allow for our IT dept subnet.  And it still doesn't work.

I've changed the subnets to be different from my actual network, but in the following code block you can see the ACLs applied to layer 3 (a cisco catalyst 2960)
 
config t
!
no access-list 2000
no access-list 2001
!
access-list 2000 permit udp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit udp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit tcp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255 
access-list 2000 permit tcp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
!
access-list 2001 permit udp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit udp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255 
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
!
int vlan 980
ip access-group 2000 out
ip access-group 2001 in
exit
!

Open in new window


The IT subnet is in this example, 10.0.16.0/24... as you can see, there is a permit IP for the entire subnet in each ACL for bidirectional traffic.

I'm obviously missing something, and it's probably painfully obvious, but I can't see it.

Edit:
nmap SYN and UDP scans both return results that I would expect to see, as well.
 
H:\>nmap -sS 10.0.98.29

Starting Nmap 5.51 ( http://nmap.org ) at 2011-09-08 11:02 Mountain Daylight Tim
e
Nmap scan report for dns1.example.com (10.0.98.29)
Host is up (0.00s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-term-serv
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49175/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds

Open in new window

0
Comment
Question by:lunanat
2 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
Comment Utility
I see the allow all ip for IN:
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
ip access-group 2001 in

But NOT for the out:
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
ip access-group 2000 out

If the out traffic from this vlan is sourced from 10.0.16.0, then I think you need to try:
access-list 2000 permit ip 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
0
 
LVL 1

Author Closing Comment

by:lunanat
Comment Utility
Second pair of eyes helps, thank you for noticing.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now