Hello ITPro! So I've got that CCNA and I am starting to put some of my knowledge into practice. Purchased an older layer 3 Cisco switch off ebay and reached out to my "go to" VAR to get a recent build of firmware. Enabled a couple of VLAN interfaces and set out to do some network segregation and lock down ports between VLANs.
I spent the better part of 2 hours just trying to configure ACLs to allow me to join a Windows workstation to a domain with the domain controller sitting on a different VLAN. Wow, that was a little tougher than I expected. At the bottom of this post is my current ACL config.
Question 1: Is there no way to get the switch to respect return traffic automatically? I have played with reflect NAT on a full router a few times, but it seems that is dedicated more for instances where you have a WAN/LAN setup to the public internet.
Question 2: I just saw a post on ITPro about switches only supporting inbound ACLs? Is that true. The cli sure allows you to attach and "in" and "out" ACL to an interface, I just wanted to confirm.
Question 3: Is there a better way!? Any way to create groups of ports or do ACLs just get massive?
Lab setup:
Server Network: 192.168.99.20/24 <----- This network is connected to a UTM firewall device and routed to the Cisco switch, this VLAN does not exist directly on the switch. There is not port blocking on the UTM, wide open. Routing works prior to implementing Cisco ACLs.
Workstation Network: 192.168.95.0/27
Domain controller(s): 192.168.99.20 and 192.168.99.22
interface vlan 5: 192.168.95.1 255.255.255.224
interface vlan 1: 192.168.98.1 255.255.255.0 <----- Connected to the network which routes between UTM and switch. GW address to UTM is 192.168.98.1
ACL config that allowed me to successfully join workstations to the domain and connect to SYSVOL folder via Windows Explorer.
ip access-list extended VLAN1inbound
permit ip host 192.168.99.21 host 192.168.95.2 log
permit ip host 192.168.95.2 host 192.168.98.21 log
permit tcp 192.168.98.0 0.0.0.255 192.168.95.0 0.0.0.31 eq 3389
permit ospf any any
permit icmp any 192.168.95.0 0.0.0.31
permit udp host 192.168.99.20 eq domain 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq domain 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq domain 192.168.95.0 0.0.0.31
permit udp host 192.168.99.22 eq domain 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq 389 192.168.95.0 0.0.0.31
permit udp host 192.168.99.20 eq 389 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq 636 192.168.95.0 0.0.0.31
permit udp host 192.168.99.20 eq ntp 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq 88 192.168.95.0 0.0.0.31
permit udp host 192.168.99.20 eq 88 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq 42 192.168.95.0 0.0.0.31
permit udp host 192.168.99.20 eq nameserver 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq 445 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq 139 192.168.95.0 0.0.0.31
permit udp host 192.168.99.20 eq netbios-ss 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq 135 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 eq 137 192.168.95.0 0.0.0.31
permit udp host 192.168.99.20 eq netbios-ns 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq 389 192.168.95.0 0.0.0.31
permit udp host 192.168.99.22 eq 389 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq 636 192.168.95.0 0.0.0.31
permit udp host 192.168.99.22 eq ntp 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq 88 192.168.95.0 0.0.0.31
permit udp host 192.168.99.22 eq 88 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq 42 192.168.95.0 0.0.0.31
permit udp host 192.168.99.22 eq nameserver 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq 445 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq 139 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 range 1025 5000 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.20 range 49152 65535 192.168.95.0 0.0.0.31
permit udp host 192.168.99.22 eq netbios-ss 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq 135 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 eq 137 192.168.95.0 0.0.0.31
permit udp host 192.168.99.22 eq netbios-ns 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 range 1025 5000 192.168.95.0 0.0.0.31
permit tcp host 192.168.99.22 range 49152 65535 192.168.95.0 0.0.0.31
deny ip 192.168.0.0 0.0.255.255 192.168.95.0 0.0.0.31 log
permit ip any any
ip access-list extended VLAN6inbound
permit ip host 192.168.99.21 host 192.168.95.2 log
permit ip host 192.168.95.2 host 192.168.98.21 log
permit tcp 192.168.95.0 0.0.0.31 eq 3389 192.168.98.0 0.0.0.255
permit udp any host 192.168.99.20 eq domain
permit tcp any host 192.168.99.20 eq domain
permit udp any host 192.168.99.22 eq domain
permit tcp any host 192.168.99.22 eq domain
permit tcp any host 192.168.99.20 eq 389
permit udp any host 192.168.99.20 eq 389
permit tcp any host 192.168.99.20 eq 636
permit udp any host 192.168.99.20 eq ntp
permit tcp any host 192.168.99.20 eq 88
permit udp any host 192.168.99.20 eq 88
permit tcp any host 192.168.99.20 eq 42
permit udp any host 192.168.99.20 eq nameserver
permit tcp any host 192.168.99.20 eq 445
permit tcp any host 192.168.99.20 eq 139
permit udp any host 192.168.99.20 eq netbios-ss
permit tcp any host 192.168.99.20 eq 135
permit tcp any host 192.168.99.20 eq 137
permit udp any host 192.168.99.20 eq netbios-ns
permit tcp any host 192.168.99.20 range 1025 5000
permit tcp any host 192.168.99.20 range 49152 65535
permit tcp any host 192.168.99.22 eq 389
permit udp any host 192.168.99.22 eq 389
permit tcp any host 192.168.99.22 eq 636
permit udp any host 192.168.99.22 eq ntp
permit tcp any host 192.168.99.22 eq 88
permit udp any host 192.168.99.22 eq 88
permit tcp any host 192.168.99.22 eq 42
permit udp any host 192.168.99.22 eq nameserver
permit tcp any host 192.168.99.22 eq 445
permit tcp any host 192.168.99.22 eq 139
permit udp any host 192.168.99.22 eq netbios-ss
permit tcp any host 192.168.99.22 eq 135
permit tcp any host 192.168.99.22 eq 137
permit udp any host 192.168.99.22 eq netbios-ns
permit tcp any host 192.168.99.22 range 1025 5000
permit tcp any host 192.168.99.22 range 49152 65535
deny ip any 192.168.0.0 0.0.255.255 log
permit ip any any