We help IT Professionals succeed at work.

Need to create an ACL on Cisco Catalyst Switch

mbarnesseo
mbarnesseo asked
on
Medium Priority
686 Views
Last Modified: 2012-05-07
Hello everyone,

We have a 3rd party PC that is required to be on our network so they can have internet access but we do not want them to have access to anything else.   This machine is at a remote site that is connected via 10meg metro-e circuit.  Here is the data path.
PC -> Default Gateway [local catalyst switch] -> Catalyst Switch [@main office]-> Cisco Router [main default gateway] -> Cisco ASA -> Internet.

I know how to create an ACL but I am unsure what I should add to only allow access from this PC to the internet.

Any ideas?

Thanks

Mike
Comment
Watch Question

Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks everyone...

Can you explain why one of these answers are better than the others...?    

Mike

Commented:
well you don't want any any because that will not specify traffic just for that user, it will be for any traffic it sees.
  We weren't sure what traffic else the user would need so we were adding the dhcp and other statements in there as a just in case precaution.  If that one user is just going to go across the network to browse http ONLY then the permit statement nasirsh will work.  If you want that user to be able to do online banking and other things that require https traffic you will also need to allow 443.
mbarnesseo,

Tell us exactly what kind of access you want them to have and to what sites. Will they be using your DHCP pool? Will they login using an Active Directory account?

Author

Commented:
Basically I did in my original question.  They need internet access and I am assuming port 80 traffic.  The company did not specify anything else.  

The machine will not access dhcp pools nor is it on our domain.

I am going to add dameware port so I can remote into it but so far that is it.

Hope this helps...

btw - this is my first time configuring ACLs.  I do not want to keep the whole site from working correctly. [just a little gun shy here...]

Mike
In that case nasirsh is the one you wanna go with.
IP access-list extended Name_Here
 permit tcp (IP of client here. Can be a range too.) any eq 80
 permit tcp (IP of client here. Can be a range too.) any eq 443 <--- if you want them to access secure websites

Open in new window

Author

Commented:
Here is a followup question...

If they need to do dns, do I need to add the eq domain command?

Here is what I'm looking at so far...


ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024
 permit tcp host <IP> 30 any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark **** dns *****
 permit tcp host <IP> any eq domain log

Should I worry about the logging and space?

Thanks again

Mike
The logging situation is dependent on your current logging setup. Do you have a server where all the devices dump their logs? Do you even have logging enabled? If you don't, there's no use putting it there.

ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024 
 permit tcp host <IP> 30 (don't want to reveal? is that the last octet?) any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark ###### Allow DNS
 permit tcp host <IP> any eq domain log
 permit udp host <IP> any eq domain log (DNS can be both TCP and UDP)

Open in new window

Author

Commented:
got me...

that is part of the last octet...    

I know it will be very hard for someone to get into our PCs from the outside [not impossible but very unlikely - I liked the picture that compared firewalls to bulletproof vest...] Since I work at a medical facility, I don't like giving IP address unless absolutely needed...

Of course I must of done something cause now I cannot contact that machine...   [although I think it was a mistype on the gateway...]  I really dislike fat finger mistakes...

Thanks everyone...

Mike

Author

Commented:
Thank you everyone...

I hope the point spread works for you.  I used bits from everyone's response but astrochimp gave really good followup.

Thanks again
Mike
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.