We are trying to not move our Routing and DHCP to the firewall and in keeping it on the switch level but in doing so, we need to free up ACLs for some additional functionality. So, what we have is our DMZ VLAN with allow / denys for all our internal VLANs and NAT with allowable IPs from the Cloudflare IPs on ports 80/443. But when I add a deny all, it breaks external access to the web servers and I cannot determine why. Do the external allowble IPs in NAT have to be added as well or?
FW / Core stack VLANs ----- ACL allows in place for VLAN 125
9300 stack feeding servers-----ACL allows in place for VLAN 10
VMWARE----ACL allows in place for VLAN 4
Public IPs------ACL allows in place
FW CORE 9300 VMWARE WEB SUBNET
VLAN 125 VLAN 125 VLAN 10 VLAN 4
Allows include that and are on the switch level due to routing and dhcp being at that level. I would rather do all controls at the Firewall but with the routing and dhcp being done on the core stack and static routing in place on the FW I have not been able to to that.
Can you share a screenshot of the ACL configuration? You can omit the IPs if it is more comfortable for you.
I have 122 ACLs in place but sending the last 30 or so for review. Please let me know if you need them all. This is all working as expected from internal VLANs the only issue is from external and only when I do a deny all at the end. Just curious of any missing logic as it applies to that. I think the DNS might be one of the issues, as we have Umbrella, but the IPs are not in the range at present for an allow.
Tested again this morning with an expanded subnet in one of the server ranges and still have same issue. I did verify I can ping the web server by IP and name from a local subnet but cannot access the IIS content, can remote to the server (from a server subnet) and can ping out from the web servers to 8.8.8.8 and google.com BUT I cannot access them from a browser on the server.
Adding the allows/denies in place on the VLANs. I have to troubleshoot in the early AM so the deny alls are not in place at this time. With what I have below, it works. When I add the denies, it breaks.