Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

RSAT cannot reach server in DMZ - new Cisco ACLs

Posted on 2011-09-08
2
Medium Priority
?
1,021 Views
Last Modified: 2012-08-13
So, I'm trying to remote administer a 2008 Core DNS server.  IT management subnet is 10.0.16.0/24 and the DMZ subnet is 10.0.98.0/24 for this example.

When I put the DNS server (which for this we'll call dns1.example.com) into a non-filtered subnet (ie, no ACLs) I can reach the server no problem with RSAT.

When I put it into the DMZ subnet, I can still do everything that I would expect to be able to do, but MMC cannot connect to the server.

Here's the kicker... I used the bazooka approach and added a generic allow for our IT dept subnet.  And it still doesn't work.

I've changed the subnets to be different from my actual network, but in the following code block you can see the ACLs applied to layer 3 (a cisco catalyst 2960)
 
config t
!
no access-list 2000
no access-list 2001
!
access-list 2000 permit udp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit udp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit tcp 192.168.10.0 0.0.0.255 10.0.98.0 0.0.0.255 
access-list 2000 permit tcp 10.0.0.0 0.255.255.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2000 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
!
access-list 2001 permit udp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit udp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 10.0.95.0 0.0.0.255
access-list 2001 permit tcp 10.0.98.0 0.0.0.255 192.168.10.0 0.0.0.255 
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
access-list 2001 permit icmp 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
!
int vlan 980
ip access-group 2000 out
ip access-group 2001 in
exit
!

Open in new window


The IT subnet is in this example, 10.0.16.0/24... as you can see, there is a permit IP for the entire subnet in each ACL for bidirectional traffic.

I'm obviously missing something, and it's probably painfully obvious, but I can't see it.

Edit:
nmap SYN and UDP scans both return results that I would expect to see, as well.
 
H:\>nmap -sS 10.0.98.29

Starting Nmap 5.51 ( http://nmap.org ) at 2011-09-08 11:02 Mountain Daylight Tim
e
Nmap scan report for dns1.example.com (10.0.98.29)
Host is up (0.00s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-term-serv
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49175/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds

Open in new window

0
Comment
Question by:lunanat
2 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 36506476
I see the allow all ip for IN:
access-list 2001 permit ip 10.0.98.0 0.0.0.255 10.0.16.0 0.0.0.255
ip access-group 2001 in

But NOT for the out:
access-list 2000 permit ip 10.0.98.0 0.0.0.255 10.0.98.0 0.0.0.255
ip access-group 2000 out

If the out traffic from this vlan is sourced from 10.0.16.0, then I think you need to try:
access-list 2000 permit ip 10.0.16.0 0.0.0.255 10.0.98.0 0.0.0.255
0
 
LVL 1

Author Closing Comment

by:lunanat
ID: 36511296
Second pair of eyes helps, thank you for noticing.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question