Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

RSAT cannot reach server in DMZ - new Cisco ACLs

Posted on 2011-09-08
2
Medium Priority
?
1,011 Views
Last Modified: 2012-08-13
So, I'm trying to remote administer a 2008 Core DNS server.  IT management subnet is 10.0.16.0/24 and the DMZ subnet is 10.0.98.0/24 for this example.

When I put the DNS server (which for this we'll call dns1.example.com) into a non-filtered subnet (ie, no ACLs) I can reach the server no problem with RSAT.

When I put it into the DMZ subnet, I can still do everything that I would expect to be able to do, but MMC cannot connect to the server.

Here's the kicker... I used the bazooka approach and added a generic allow for our IT dept subnet.  And it still doesn't work.

I've changed the subnets to be different from my actual network, but in the following code block you can see the ACLs applied to layer 3 (a cisco catalyst 2960)
 
config t
!
no access-list 2000
no access-list 2001
!
access-list 2000 permit udp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit udp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit tcp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255 
access-list 2000 permit tcp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
!
access-list 2001 permit udp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit udp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255 
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
!
int vlan 980
ip access-group 2000 out
ip access-group 2001 in
exit
!

Open in new window


The IT subnet is in this example, 10.0.16.0/24... as you can see, there is a permit IP for the entire subnet in each ACL for bidirectional traffic.

I'm obviously missing something, and it's probably painfully obvious, but I can't see it.

Edit:
nmap SYN and UDP scans both return results that I would expect to see, as well.
 
H:\>nmap -sS 10.0.98.29

Starting Nmap 5.51 ( http://nmap.org ) at 2011-09-08 11:02 Mountain Daylight Tim
e
Nmap scan report for dns1.example.com (10.0.98.29)
Host is up (0.00s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-term-serv
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49175/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds

Open in new window

0
Comment
Question by:lunanat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 36506476
I see the allow all ip for IN:
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
ip access-group 2001 in

But NOT for the out:
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
ip access-group 2000 out

If the out traffic from this vlan is sourced from 10.0.16.0, then I think you need to try:
access-list 2000 permit ip 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
0
 
LVL 1

Author Closing Comment

by:lunanat
ID: 36511296
Second pair of eyes helps, thank you for noticing.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question