jdavidsbs
asked on
ACL config for limited VLAN access on Cisco 2621 router
Hello,
I need a little help with an ACL config on my router. I have 2 VLans and need to setup access to two internal web servers(172.16.0.17, 172.16.0.21) and a DNS server(172.16.0.10) from the 2nd vlan. Below is the config. I can't get the web servers to show up, or access to the DNS lookup. I can get everything if I allow all IP to the hosts, but I want to secure it to just the needed ports. Any help is appreciated!
Vlan1 (FE0/0) 172.16.0.0 255.255.252.0
Vlan2 (FE0/0.2) 172.16.10.0 255.255.255.0
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.2.1 255.255.255.0 secondary
ip address 172.16.0.1 255.255.252.0
ip access-group 115 out
duplex auto
speed auto
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 172.16.10.1 255.255.255.0
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.17
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.17
access-list 115 permit udp 172.16.10.0 0.0.0.255 eq domain host 172.16.0.10
access-list 115 deny ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any
I need a little help with an ACL config on my router. I have 2 VLans and need to setup access to two internal web servers(172.16.0.17, 172.16.0.21) and a DNS server(172.16.0.10) from the 2nd vlan. Below is the config. I can't get the web servers to show up, or access to the DNS lookup. I can get everything if I allow all IP to the hosts, but I want to secure it to just the needed ports. Any help is appreciated!
Vlan1 (FE0/0) 172.16.0.0 255.255.252.0
Vlan2 (FE0/0.2) 172.16.10.0 255.255.255.0
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.2.1 255.255.255.0 secondary
ip address 172.16.0.1 255.255.252.0
ip access-group 115 out
duplex auto
speed auto
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 172.16.10.1 255.255.255.0
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.17
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.17
access-list 115 permit udp 172.16.10.0 0.0.0.255 eq domain host 172.16.0.10
access-list 115 deny ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the great help as always! I split points for the help.
ASKER
all good! thanks!
ASKER