Solved

ACL config for limited VLAN access on Cisco 2621 router

Posted on 2007-11-28
5
1,384 Views
Last Modified: 2010-04-21
Hello,
I need a little help with an ACL config on my router.  I have 2 VLans and need to setup access to two internal web servers(172.16.0.17, 172.16.0.21) and a DNS server(172.16.0.10) from the 2nd vlan.  Below is the config.  I can't get the web servers to show up, or access to the DNS lookup.  I can get everything if I allow all IP to the hosts, but I want to secure it to just the needed ports.  Any help is appreciated!

Vlan1 (FE0/0)   172.16.0.0    255.255.252.0
Vlan2 (FE0/0.2)  172.16.10.0    255.255.255.0

interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 out
 duplex auto
 speed auto
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 172.16.10.1 255.255.255.0

access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.17
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.17
access-list 115 permit udp 172.16.10.0 0.0.0.255 eq domain host 172.16.0.10
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any
0
Comment
Question by:jdavidsbs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 9

Accepted Solution

by:
predragpetrovic earned 125 total points
ID: 20368318
Hello,

You are implementing it wrong...
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 in
 duplex auto
 speed auto

access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21  eq www
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq www
access-list 115 permit udp 172.16.10.0 0.0.0.255 host 172.16.0.10 eq domain
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any


0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 20368553
predraqpetrovic has the acl right, but I would apply that acl to the vlan2 interface 'in'

interface FastEthernet0/0
 no ip access-group 115 in

interface FastEthernet0/0.2
 ip access-group 115 in
0
 

Author Comment

by:jdavidsbs
ID: 20368999
I tried to reverse it to in, but that ends up allowing all traffic. I will try your suggestion, lrmoore.
0
 

Author Closing Comment

by:jdavidsbs
ID: 31411512
Thanks for the great help as always!  I split points for the help.
0
 

Author Comment

by:jdavidsbs
ID: 20369147
all good!  thanks!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question