Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Need to create an ACL on Cisco Catalyst Switch

Posted on 2009-07-01
12
670 Views
Last Modified: 2012-05-07
Hello everyone,

We have a 3rd party PC that is required to be on our network so they can have internet access but we do not want them to have access to anything else.   This machine is at a remote site that is connected via 10meg metro-e circuit.  Here is the data path.
PC -> Default Gateway [local catalyst switch] -> Catalyst Switch [@main office]-> Cisco Router [main default gateway] -> Cisco ASA -> Internet.

I know how to create an ACL but I am unsure what I should add to only allow access from this PC to the internet.

Any ideas?

Thanks

Mike
0
Comment
Question by:mbarnesseo
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 4

Accepted Solution

by:
astrochimp earned 300 total points
ID: 24754508
You can try something like this on the local Catalyst switch
ip access-list extended Your_ACL_Name
 remark ##### Allow DHCP
 permit    udp any any eq bootps log
 permit    tcp any any eq bootps log
 permit    udp any any eq bootpc log
 permit    tcp any any eq bootpc log
 remark ##### Allow HTTP & HTTPS
 permit    tcp any any eq 80 log
 permit    tcp any any eq 443 log

Open in new window

0
 
LVL 6

Assisted Solution

by:danf0x
danf0x earned 100 total points
ID: 24755156
I would change that first any to
"host ip address"
so you don't invite unwanted guests.
  Also you may need
"permit tcp host ip address any gt 1024"
if they are travelling through you and not to you for web connections
0
 
LVL 4

Assisted Solution

by:nasirsh
nasirsh earned 100 total points
ID: 24755768
DO the following

IP access-list extended
permit tcp host PC_IP any eq 80


This will only allow http traffic from the PC which you want to have access to the internet
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 1

Author Comment

by:mbarnesseo
ID: 24764705
Thanks everyone...

Can you explain why one of these answers are better than the others...?    

Mike
0
 
LVL 6

Expert Comment

by:danf0x
ID: 24765198
well you don't want any any because that will not specify traffic just for that user, it will be for any traffic it sees.
  We weren't sure what traffic else the user would need so we were adding the dhcp and other statements in there as a just in case precaution.  If that one user is just going to go across the network to browse http ONLY then the permit statement nasirsh will work.  If you want that user to be able to do online banking and other things that require https traffic you will also need to allow 443.
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765544
mbarnesseo,

Tell us exactly what kind of access you want them to have and to what sites. Will they be using your DHCP pool? Will they login using an Active Directory account?
0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765591
Basically I did in my original question.  They need internet access and I am assuming port 80 traffic.  The company did not specify anything else.  

The machine will not access dhcp pools nor is it on our domain.

I am going to add dameware port so I can remote into it but so far that is it.

Hope this helps...

btw - this is my first time configuring ACLs.  I do not want to keep the whole site from working correctly. [just a little gun shy here...]

Mike
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765718
In that case nasirsh is the one you wanna go with.
IP access-list extended Name_Here
 permit tcp (IP of client here. Can be a range too.) any eq 80
 permit tcp (IP of client here. Can be a range too.) any eq 443 <--- if you want them to access secure websites

Open in new window

0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765738
Here is a followup question...

If they need to do dns, do I need to add the eq domain command?

Here is what I'm looking at so far...


ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024
 permit tcp host <IP> 30 any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark **** dns *****
 permit tcp host <IP> any eq domain log

Should I worry about the logging and space?

Thanks again

Mike
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765822
The logging situation is dependent on your current logging setup. Do you have a server where all the devices dump their logs? Do you even have logging enabled? If you don't, there's no use putting it there.

ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024 
 permit tcp host <IP> 30 (don't want to reveal? is that the last octet?) any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark ###### Allow DNS
 permit tcp host <IP> any eq domain log
 permit udp host <IP> any eq domain log (DNS can be both TCP and UDP)

Open in new window

0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765884
got me...

that is part of the last octet...    

I know it will be very hard for someone to get into our PCs from the outside [not impossible but very unlikely - I liked the picture that compared firewalls to bulletproof vest...] Since I work at a medical facility, I don't like giving IP address unless absolutely needed...

Of course I must of done something cause now I cannot contact that machine...   [although I think it was a mistype on the gateway...]  I really dislike fat finger mistakes...

Thanks everyone...

Mike
0
 
LVL 1

Author Closing Comment

by:mbarnesseo
ID: 31598771
Thank you everyone...

I hope the point spread works for you.  I used bits from everyone's response but astrochimp gave really good followup.

Thanks again
Mike
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question