• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 530
  • Last Modified:

how to drop all traffic except internet and specific local IP address

I will like to allow traffic to internet from one station, but not to the local network (lan). I would like if posible to allow access from that station to 3 diferent servers on the local network: DHCP,  Proxy cache and UNTANGLE. Any Idea?

1 Solution
For Internet access (assuming your have your NAT done)
create an access list  
ip acces-list ext (Insert name here) permit tcp host x.x.x.x (IP) any eq http  
ip acces-list ext (Insert name here)  permit tcp host x.x.x.x (IP) any eq https
on your internet bound interface,
ip access-group (Name from above) in
If that station is on the same subnet as the other 3 boxes, a router wont help you filter.
If it is not, more access control lists.
where is the DHCP ?   a network diagram would help
solohayunoAuthor Commented:
CCI_IT: You mean an access list on the cisco router?
vadirajj: DHCP and Proxy are on the Local Network (LAN) switches connect all stations, including DHCP Server, proxy and cisco router. Untangle its just after proxy, and internet router its just after untangle server.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

You can achieve this by using ACLs or PBR. If you give more information, that will give clearer idea.

Yes. an Access-list on the router. But again it depends.
scenario 1:
all servers are on the same subnet, the router will only filter internet traffic, but wont prevent machines from talking to one another. a single ACL permit only that host will implicitly deny all other hosts from getting out to the Internet.
Scenario 2:
Servers are on Different subnets. The rouer will be able to filter who talks to who as long as they are on different subnets (including the Internet) using ACLs.  I can get mroe specific if you give a more detailed topology. In either case, Internet filtering will be done the same way. (With or without a firewall).
solohayunoAuthor Commented:
First: all have the same  subnet, until now (bad design).
Second: I did it with a bridged firewall, all traffic who pass from one side0 of the firewall to side1 was just allowed to access not local network, no mather of what type of traffic: http, https, ftp, and so on.
Not sure what that means.
Can your router support access lists (what brand is it)?
How many interfaces are on the router?
Do you have a layer 2 switch that all of the computers connect to that connects to the router (what brand is that)?
What I am getting at is this. You can create 2 vlans on the switch and (depending on the router) create subinterfaces on the router in order to provide routing between the 2 VLans (subnets) . That way, you can create access lists on the router to filter traffic between the 2 subnets and also between any domain machine and the Internet. Once I know what you are working with I can be a little more specific.
solohayunoAuthor Commented:

What I was looking for on the original post, was a port on a public location of my network to pass trough the network to the internet, without any other option than the internet.

In this scenario, it will has to pass for:
1. varios cisco catalyst 500 series switches, to get to my central cisco 3800 series router,
2. then been redirected to a untangle linux (debian lenny based gateway) who is preceded by a debian lenny transparent cache proxy.
3. then been redirected to cisco 878 router who connect to ower ISP.

That is the trayectoria needed to get to the internet from that public port, and the requirement its that not let that public port get access to other place than the internet.
I think I understand what you are saying. You will..
1) set up a VLAN for that box only.
2)span that VLAN all of the way to your 3800.
on the 3800 you will do 2 things.
                                      i) create an access list permitting access to the 3 machines you said that box has to communicate with
                                      ii) add to that access list a statement denying access to your LAN subnets.
                                     iii) create a policy roupte-map that will set the default gateway to be your 878 (assuming the cache proxy is L3 transparent) ~ this requires another access list to be created in order to define traffic that will match the policy
                                    iv) apply both the access list and the policy based route map to the inbound interface of the VLAN
This will isolate traffice from that box to the 878 and prevent access to yoru LAN (with the exception of the 3 machines you said it needs to see). I am not sure what networks are on your 878, but you can set up a policy route map on that as well should you need to isolate that traffic all of the way through to the internet.
Just remember when creating the access-list in i) to restrict access to all of your subnets to ensure security.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now