Solved

ACL config for limited VLAN access on Cisco 2621 router

Posted on 2007-11-28
5
1,383 Views
Last Modified: 2010-04-21
Hello,
I need a little help with an ACL config on my router.  I have 2 VLans and need to setup access to two internal web servers(172.16.0.17, 172.16.0.21) and a DNS server(172.16.0.10) from the 2nd vlan.  Below is the config.  I can't get the web servers to show up, or access to the DNS lookup.  I can get everything if I allow all IP to the hosts, but I want to secure it to just the needed ports.  Any help is appreciated!

Vlan1 (FE0/0)   172.16.0.0    255.255.252.0
Vlan2 (FE0/0.2)  172.16.10.0    255.255.255.0

interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 out
 duplex auto
 speed auto
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 172.16.10.1 255.255.255.0

access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.17
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.17
access-list 115 permit udp 172.16.10.0 0.0.0.255 eq domain host 172.16.0.10
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any
0
Comment
Question by:jdavidsbs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 9

Accepted Solution

by:
predragpetrovic earned 125 total points
ID: 20368318
Hello,

You are implementing it wrong...
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 in
 duplex auto
 speed auto

access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21  eq www
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq www
access-list 115 permit udp 172.16.10.0 0.0.0.255 host 172.16.0.10 eq domain
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any


0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 20368553
predraqpetrovic has the acl right, but I would apply that acl to the vlan2 interface 'in'

interface FastEthernet0/0
 no ip access-group 115 in

interface FastEthernet0/0.2
 ip access-group 115 in
0
 

Author Comment

by:jdavidsbs
ID: 20368999
I tried to reverse it to in, but that ends up allowing all traffic. I will try your suggestion, lrmoore.
0
 

Author Closing Comment

by:jdavidsbs
ID: 31411512
Thanks for the great help as always!  I split points for the help.
0
 

Author Comment

by:jdavidsbs
ID: 20369147
all good!  thanks!
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question