Solved

Need to create an ACL on Cisco Catalyst Switch

Posted on 2009-07-01
12
667 Views
Last Modified: 2012-05-07
Hello everyone,

We have a 3rd party PC that is required to be on our network so they can have internet access but we do not want them to have access to anything else.   This machine is at a remote site that is connected via 10meg metro-e circuit.  Here is the data path.
PC -> Default Gateway [local catalyst switch] -> Catalyst Switch [@main office]-> Cisco Router [main default gateway] -> Cisco ASA -> Internet.

I know how to create an ACL but I am unsure what I should add to only allow access from this PC to the internet.

Any ideas?

Thanks

Mike
0
Comment
Question by:mbarnesseo
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 4

Accepted Solution

by:
astrochimp earned 300 total points
ID: 24754508
You can try something like this on the local Catalyst switch
ip access-list extended Your_ACL_Name

 remark ##### Allow DHCP

 permit    udp any any eq bootps log

 permit    tcp any any eq bootps log

 permit    udp any any eq bootpc log

 permit    tcp any any eq bootpc log

 remark ##### Allow HTTP & HTTPS

 permit    tcp any any eq 80 log

 permit    tcp any any eq 443 log

Open in new window

0
 
LVL 6

Assisted Solution

by:danf0x
danf0x earned 100 total points
ID: 24755156
I would change that first any to
"host ip address"
so you don't invite unwanted guests.
  Also you may need
"permit tcp host ip address any gt 1024"
if they are travelling through you and not to you for web connections
0
 
LVL 4

Assisted Solution

by:nasirsh
nasirsh earned 100 total points
ID: 24755768
DO the following

IP access-list extended
permit tcp host PC_IP any eq 80


This will only allow http traffic from the PC which you want to have access to the internet
0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24764705
Thanks everyone...

Can you explain why one of these answers are better than the others...?    

Mike
0
 
LVL 6

Expert Comment

by:danf0x
ID: 24765198
well you don't want any any because that will not specify traffic just for that user, it will be for any traffic it sees.
  We weren't sure what traffic else the user would need so we were adding the dhcp and other statements in there as a just in case precaution.  If that one user is just going to go across the network to browse http ONLY then the permit statement nasirsh will work.  If you want that user to be able to do online banking and other things that require https traffic you will also need to allow 443.
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765544
mbarnesseo,

Tell us exactly what kind of access you want them to have and to what sites. Will they be using your DHCP pool? Will they login using an Active Directory account?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765591
Basically I did in my original question.  They need internet access and I am assuming port 80 traffic.  The company did not specify anything else.  

The machine will not access dhcp pools nor is it on our domain.

I am going to add dameware port so I can remote into it but so far that is it.

Hope this helps...

btw - this is my first time configuring ACLs.  I do not want to keep the whole site from working correctly. [just a little gun shy here...]

Mike
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765718
In that case nasirsh is the one you wanna go with.
IP access-list extended Name_Here

 permit tcp (IP of client here. Can be a range too.) any eq 80

 permit tcp (IP of client here. Can be a range too.) any eq 443 <--- if you want them to access secure websites

Open in new window

0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765738
Here is a followup question...

If they need to do dns, do I need to add the eq domain command?

Here is what I'm looking at so far...


ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024
 permit tcp host <IP> 30 any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark **** dns *****
 permit tcp host <IP> any eq domain log

Should I worry about the logging and space?

Thanks again

Mike
0
 
LVL 4

Expert Comment

by:astrochimp
ID: 24765822
The logging situation is dependent on your current logging setup. Do you have a server where all the devices dump their logs? Do you even have logging enabled? If you don't, there's no use putting it there.

ip access-list extended RX_PC

 remark ###### Allow HTTP & HTTPS

 permit tcp host <IP> any eq www log

 permit tcp host <IP> any eq 443 log

 permit tcp host <IP> any gt 1024 

 permit tcp host <IP> 30 (don't want to reveal? is that the last octet?) any eq 6129 log

 permit tcp host <IP> any eq echo log

 remark ###### Allow DNS

 permit tcp host <IP> any eq domain log

 permit udp host <IP> any eq domain log (DNS can be both TCP and UDP)

Open in new window

0
 
LVL 1

Author Comment

by:mbarnesseo
ID: 24765884
got me...

that is part of the last octet...    

I know it will be very hard for someone to get into our PCs from the outside [not impossible but very unlikely - I liked the picture that compared firewalls to bulletproof vest...] Since I work at a medical facility, I don't like giving IP address unless absolutely needed...

Of course I must of done something cause now I cannot contact that machine...   [although I think it was a mistype on the gateway...]  I really dislike fat finger mistakes...

Thanks everyone...

Mike
0
 
LVL 1

Author Closing Comment

by:mbarnesseo
ID: 31598771
Thank you everyone...

I hope the point spread works for you.  I used bits from everyone's response but astrochimp gave really good followup.

Thanks again
Mike
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now