Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ACL config for limited VLAN access on Cisco 2621 router

Posted on 2007-11-28
5
Medium Priority
?
1,389 Views
Last Modified: 2010-04-21
Hello,
I need a little help with an ACL config on my router.  I have 2 VLans and need to setup access to two internal web servers(172.16.0.17, 172.16.0.21) and a DNS server(172.16.0.10) from the 2nd vlan.  Below is the config.  I can't get the web servers to show up, or access to the DNS lookup.  I can get everything if I allow all IP to the hosts, but I want to secure it to just the needed ports.  Any help is appreciated!

Vlan1 (FE0/0)   172.16.0.0    255.255.252.0
Vlan2 (FE0/0.2)  172.16.10.0    255.255.255.0

interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 out
 duplex auto
 speed auto
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 172.16.10.1 255.255.255.0

access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.21
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq 443 host 172.16.0.17
access-list 115 permit tcp 172.16.10.0 0.0.0.255 eq www host 172.16.0.17
access-list 115 permit udp 172.16.10.0 0.0.0.255 eq domain host 172.16.0.10
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any
0
Comment
Question by:jdavidsbs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 9

Accepted Solution

by:
predragpetrovic earned 500 total points
ID: 20368318
Hello,

You are implementing it wrong...
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 172.16.0.1 255.255.252.0
 ip access-group 115 in
 duplex auto
 speed auto

access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21  eq www
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.21 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq 443
access-list 115 permit tcp 172.16.10.0 0.0.0.255 host 172.16.0.17 eq www
access-list 115 permit udp 172.16.10.0 0.0.0.255 host 172.16.0.10 eq domain
access-list 115 deny   ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.252.255
access-list 115 permit ip any any


0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 20368553
predraqpetrovic has the acl right, but I would apply that acl to the vlan2 interface 'in'

interface FastEthernet0/0
 no ip access-group 115 in

interface FastEthernet0/0.2
 ip access-group 115 in
0
 

Author Comment

by:jdavidsbs
ID: 20368999
I tried to reverse it to in, but that ends up allowing all traffic. I will try your suggestion, lrmoore.
0
 

Author Closing Comment

by:jdavidsbs
ID: 31411512
Thanks for the great help as always!  I split points for the help.
0
 

Author Comment

by:jdavidsbs
ID: 20369147
all good!  thanks!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question