Solved

Need to create an ACL on Cisco Catalyst Switch

Posted on 2009-07-01
12
669 Views
Last Modified: 2012-05-07
Hello everyone,

We have a 3rd party PC that is required to be on our network so they can have internet access but we do not want them to have access to anything else.   This machine is at a remote site that is connected via 10meg metro-e circuit.  Here is the data path.
PC -> Default Gateway [local catalyst switch] -> Catalyst Switch [@main office]-> Cisco Router [main default gateway] -> Cisco ASA -> Internet.

I know how to create an ACL but I am unsure what I should add to only allow access from this PC to the internet.

Any ideas?

Thanks

Mike
0
Comment
Question by:mbarnesseo
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 4

Accepted Solution

by:
astrochimp earned 300 total points
ID: 24754508
You can try something like this on the local Catalyst switch
ip access-list extended Your_ACL_Name
 remark ##### Allow DHCP
 permit    udp any any eq bootps log
 permit    tcp any any eq bootps log
 permit    udp any any eq bootpc log
 permit    tcp any any eq bootpc log
 remark ##### Allow HTTP & HTTPS
 permit    tcp any any eq 80 log
 permit    tcp any any eq 443 log

Open in new window

0
 
LVL 6

Assisted Solution

by:danf0x
danf0x earned 100 total points
ID: 24755156
I would change that first any to
"host ip address"
so you don't invite unwanted guests.
  Also you may need
"permit tcp host ip address any gt 1024"
if they are travelling through you and not to you for web connections
0
 
LVL 4

Assisted Solution

by:nasirsh
nasirsh earned 100 total points
ID: 24755768
DO the following

IP access-list extended
permit tcp host PC_IP any eq 80


This will only allow http traffic from the PC which you want to have access to the internet
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 1

Author Comment

by:mbarnesseo
ID: 24764705
Thanks everyone...

Can you explain why one of these answers are better than the others...?    

Mike
0
 
LVL 6

Expert Comment

by:danf0x
ID: 24765198
well you don't want any any because that will not specify traffic just for that user, it will be for any traffic it sees.
  We weren't sure what traffic else the user would need so we were adding the dhcp and other statements in there as a just in case precaution.  If that one user is just going to go across the network to browse http ONLY then the permit statement nasirsh will work.  If you want that user to be able to do online banking and other things that require https traffic you will also need to allow 443.
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765544
mbarnesseo,

Tell us exactly what kind of access you want them to have and to what sites. Will they be using your DHCP pool? Will they login using an Active Directory account?
0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765591
Basically I did in my original question.  They need internet access and I am assuming port 80 traffic.  The company did not specify anything else.  

The machine will not access dhcp pools nor is it on our domain.

I am going to add dameware port so I can remote into it but so far that is it.

Hope this helps...

btw - this is my first time configuring ACLs.  I do not want to keep the whole site from working correctly. [just a little gun shy here...]

Mike
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765718
In that case nasirsh is the one you wanna go with.
IP access-list extended Name_Here
 permit tcp (IP of client here. Can be a range too.) any eq 80
 permit tcp (IP of client here. Can be a range too.) any eq 443 <--- if you want them to access secure websites

Open in new window

0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765738
Here is a followup question...

If they need to do dns, do I need to add the eq domain command?

Here is what I'm looking at so far...


ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024
 permit tcp host <IP> 30 any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark **** dns *****
 permit tcp host <IP> any eq domain log

Should I worry about the logging and space?

Thanks again

Mike
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765822
The logging situation is dependent on your current logging setup. Do you have a server where all the devices dump their logs? Do you even have logging enabled? If you don't, there's no use putting it there.

ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024 
 permit tcp host <IP> 30 (don't want to reveal? is that the last octet?) any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark ###### Allow DNS
 permit tcp host <IP> any eq domain log
 permit udp host <IP> any eq domain log (DNS can be both TCP and UDP)

Open in new window

0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765884
got me...

that is part of the last octet...    

I know it will be very hard for someone to get into our PCs from the outside [not impossible but very unlikely - I liked the picture that compared firewalls to bulletproof vest...] Since I work at a medical facility, I don't like giving IP address unless absolutely needed...

Of course I must of done something cause now I cannot contact that machine...   [although I think it was a mistype on the gateway...]  I really dislike fat finger mistakes...

Thanks everyone...

Mike
0
 
LVL 1

Author Closing Comment

by:mbarnesseo
ID: 31598771
Thank you everyone...

I hope the point spread works for you.  I used bits from everyone's response but astrochimp gave really good followup.

Thanks again
Mike
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question