Solved

ACL config for limited VLAN access on Cisco 2621 router

Posted on 2007-11-28
5
1,381 Views
Last Modified: 2010-04-21
Hello,
I need a little help with an ACL config on my router.  I have 2 VLans and need to setup access to two internal web servers(172.16.0.17, 172.16.0.21) and a DNS server(172.16.0.10) from the 2nd vlan.  Below is the config.  I can't get the web servers to show up, or access to the DNS lookup.  I can get everything if I allow all IP to the hosts, but I want to secure it to just the needed ports.  Any help is appreciated!

Vlan1 (FE0/0)   172.16.0.0    255.255.252.0
Vlan2 (FE0/0.2)  172.16.10.0    255.255.255.0

interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 out
 duplex auto
 speed auto
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 172.16.10.1 255.255.255.0

access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.17
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.17
access-list 115 permit udp 172.16.10.0 0.0.0.255 eq domain host 172.16.0.10
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any
0
Comment
Question by:jdavidsbs
  • 3
5 Comments
 
LVL 9

Accepted Solution

by:
predragpetrovic earned 125 total points
ID: 20368318
Hello,

You are implementing it wrong...
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 in
 duplex auto
 speed auto

access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21  eq www
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq www
access-list 115 permit udp 172.16.10.0 0.0.0.255 host 172.16.0.10 eq domain
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any


0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 20368553
predraqpetrovic has the acl right, but I would apply that acl to the vlan2 interface 'in'

interface FastEthernet0/0
 no ip access-group 115 in

interface FastEthernet0/0.2
 ip access-group 115 in
0
 

Author Comment

by:jdavidsbs
ID: 20368999
I tried to reverse it to in, but that ends up allowing all traffic. I will try your suggestion, lrmoore.
0
 

Author Closing Comment

by:jdavidsbs
ID: 31411512
Thanks for the great help as always!  I split points for the help.
0
 

Author Comment

by:jdavidsbs
ID: 20369147
all good!  thanks!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question