Solved

ACL config for limited VLAN access on Cisco 2621 router

Posted on 2007-11-28
5
1,382 Views
Last Modified: 2010-04-21
Hello,
I need a little help with an ACL config on my router.  I have 2 VLans and need to setup access to two internal web servers(172.16.0.17, 172.16.0.21) and a DNS server(172.16.0.10) from the 2nd vlan.  Below is the config.  I can't get the web servers to show up, or access to the DNS lookup.  I can get everything if I allow all IP to the hosts, but I want to secure it to just the needed ports.  Any help is appreciated!

Vlan1 (FE0/0)   172.16.0.0    255.255.252.0
Vlan2 (FE0/0.2)  172.16.10.0    255.255.255.0

interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 out
 duplex auto
 speed auto
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 172.16.10.1 255.255.255.0

access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.17
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.17
access-list 115 permit udp 172.16.10.0 0.0.0.255 eq domain host 172.16.0.10
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any
0
Comment
Question by:jdavidsbs
  • 3
5 Comments
 
LVL 9

Accepted Solution

by:
predragpetrovic earned 125 total points
ID: 20368318
Hello,

You are implementing it wrong...
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 in
 duplex auto
 speed auto

access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21  eq www
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq www
access-list 115 permit udp 172.16.10.0 0.0.0.255 host 172.16.0.10 eq domain
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any


0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 20368553
predraqpetrovic has the acl right, but I would apply that acl to the vlan2 interface 'in'

interface FastEthernet0/0
 no ip access-group 115 in

interface FastEthernet0/0.2
 ip access-group 115 in
0
 

Author Comment

by:jdavidsbs
ID: 20368999
I tried to reverse it to in, but that ends up allowing all traffic. I will try your suggestion, lrmoore.
0
 

Author Closing Comment

by:jdavidsbs
ID: 31411512
Thanks for the great help as always!  I split points for the help.
0
 

Author Comment

by:jdavidsbs
ID: 20369147
all good!  thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Import AD groups from one domain to another 9 33
google exe file 5 64
Remote access problem to camera controller 9 37
Vyos VLANs 14 33
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question