This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Policy to deny access to internal networks but allow access externally not working

Policy to deny access to internal networks but allow access externally not working

Brian_Anderson
Contributor

‎05-21-2018 04:52 PM

Working with Exos, S-series router and Policy Manager.

Currently working with a customer, and I've setup a policy to deny 10.0.0.0/8 but allow 10.0.0.0/24. Precedence shows this should work. I also have allow DNS, DHCP and ARP. In the past with EOS, allow ARP allows the workstation to access the network via the gateway. I believe the workstation just arps up its gateway and uses the mac address for network access. I can't get that to work on EXOS. I've setup a rule to allow to the mac address of the s-series and that works, however I'm able to access everything on the 10 network that I've setup as a deny. Same result when I just allow the IP address of the gateway of the workstation (10.190.0.1). Has anybody setup this type of scenario with EXOS? I've got a case open, and they are looking at the switching side of things being the cause. I've upgraded to the latest code on the EXOS and still doesn't work. Just seeing if anybody else has run into this before and if there is a solution before I go down the ACL road. Thanks.
5 REPLIES 5

Brian_Anderson1
Contributor

‎10-26-2020 08:23 PM

Not sure. The customer never got back with me on the test switch we were working with. However GTAC had tested with the updated firmware successfully.  Sometimes the firmware bug fixes don’t make it across firmware forks immediately. I would try the 22.5.1.7 latest patch and see if that works for you.

On your policy I would block all internal network access and just allow ports such as DHCP and DNS, that should get you internet access without internal access. 

0 Kudos

TRC_Sysadmins
New Contributor

‎10-26-2020 06:05 AM

We are on v22.6.1.4-patch 1.  Trying to get the same sort of policy set up that allows PCs to get to the internet but not the internal networks (for some IoT types).  This thread looked promising but there is no solution posted.  Did you ever get this to work?  If so - please share b37f477866f245c89649f757905f45a1_1f601.png

 

0 Kudos

Brian_Anderson1
Contributor

‎07-12-2018 12:18 PM

FYI, received a response from GTAC, v22.5.1.7 is supposed to work. I haven't had a chance to test yet.
0 Kudos

Brian_Anderson
Contributor

‎05-29-2018 04:27 PM

I don't have ACLs currently in place. That is probably the solution I'll have to go with, unfortunately. Haven't heard any progress from GTAC side yet.
0 Kudos
GTM-P2G8KFN