Cisco SG300-28 ACL query

Hi everyone

 

Hope you can help

 

I have a parent/child domain test environment - I'm trying to block specific ports between the parent/child clients

 

So parent domain clients are on 10.10.10.0/24 child on 10.10.11.0/24

 

My ACL looks like below:

 

ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 139 ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 389 ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 445 ace-priority 60
permit ip any any ace-priority 80

 

this is bound to the child domain VLAN

 

interface vlan 20
name CHILD.DOMAIN_TEST
ip address 10.10.11.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAP

 

I'm trying to block those ports from being open on the child domain clients but it doesn't seem to be working

 

port 389 is LDAP

ports 139 and 445 are windows file share

 

It's not working

 

Any thoughts?

 

Thanks

 

Jason
Jason MurphyAsked:
Who is Participating?
 
Joseph HornseyPresident and JanitorCommented:
You have:


deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 139 ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 389 ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 445 ace-priority 60

Wouldn't you also need:

deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.0 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.0 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.0 445 ace-priority 60

Open in new window


So, just out of curiosity, why are you blocking that stuff?
0
 
Jason MurphyAuthor Commented:
Hi

Thanks

We're trying to replicate an issue with a client setup where clients in their child domain cannot get a license from a license dongle plugged into a server in the parent domain - and we're testing using LDAP and windows file share

I'll try and add the entry you mentioned

Jason
0
 
Istvan KalmarHead of IT Security Division Commented:
Try it:

deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60

Open in new window

0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Joseph HornseyPresident and JanitorCommented:
Oh... nice catch, Istvan.  I messed up the wildcard masks on my destinations.
0
 
Jason MurphyAuthor Commented:
Hi

So what you're both saying is I need the same deny rule in both directions?

My VLAN 10 clients are on interface range 1-12
My VLAN 20 clients are on int range 13-24

Which interface range does the ACL need to be applied on?

Thanks
0
 
Joseph HornseyPresident and JanitorCommented:
Question answered satisfactorily
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.