Need to create an ACL on Cisco Catalyst Switch

Hello everyone,

We have a 3rd party PC that is required to be on our network so they can have internet access but we do not want them to have access to anything else.   This machine is at a remote site that is connected via 10meg metro-e circuit.  Here is the data path.
PC -> Default Gateway [local catalyst switch] -> Catalyst Switch [@main office]-> Cisco Router [main default gateway] -> Cisco ASA -> Internet.

I know how to create an ACL but I am unsure what I should add to only allow access from this PC to the internet.

Any ideas?

Thanks

Mike
LVL 1
mbarnesseoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

astrochimpCommented:
You can try something like this on the local Catalyst switch
ip access-list extended Your_ACL_Name
 remark ##### Allow DHCP
 permit    udp any any eq bootps log
 permit    tcp any any eq bootps log
 permit    udp any any eq bootpc log
 permit    tcp any any eq bootpc log
 remark ##### Allow HTTP & HTTPS
 permit    tcp any any eq 80 log
 permit    tcp any any eq 443 log

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
danf0xCommented:
I would change that first any to
"host ip address"
so you don't invite unwanted guests.
  Also you may need
"permit tcp host ip address any gt 1024"
if they are travelling through you and not to you for web connections
0
nasirshCommented:
DO the following

IP access-list extended
permit tcp host PC_IP any eq 80


This will only allow http traffic from the PC which you want to have access to the internet
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

mbarnesseoAuthor Commented:
Thanks everyone...

Can you explain why one of these answers are better than the others...?    

Mike
0
danf0xCommented:
well you don't want any any because that will not specify traffic just for that user, it will be for any traffic it sees.
  We weren't sure what traffic else the user would need so we were adding the dhcp and other statements in there as a just in case precaution.  If that one user is just going to go across the network to browse http ONLY then the permit statement nasirsh will work.  If you want that user to be able to do online banking and other things that require https traffic you will also need to allow 443.
0
astrochimpCommented:
mbarnesseo,

Tell us exactly what kind of access you want them to have and to what sites. Will they be using your DHCP pool? Will they login using an Active Directory account?
0
mbarnesseoAuthor Commented:
Basically I did in my original question.  They need internet access and I am assuming port 80 traffic.  The company did not specify anything else.  

The machine will not access dhcp pools nor is it on our domain.

I am going to add dameware port so I can remote into it but so far that is it.

Hope this helps...

btw - this is my first time configuring ACLs.  I do not want to keep the whole site from working correctly. [just a little gun shy here...]

Mike
0
astrochimpCommented:
In that case nasirsh is the one you wanna go with.
IP access-list extended Name_Here
 permit tcp (IP of client here. Can be a range too.) any eq 80
 permit tcp (IP of client here. Can be a range too.) any eq 443 <--- if you want them to access secure websites

Open in new window

0
mbarnesseoAuthor Commented:
Here is a followup question...

If they need to do dns, do I need to add the eq domain command?

Here is what I'm looking at so far...


ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024
 permit tcp host <IP> 30 any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark **** dns *****
 permit tcp host <IP> any eq domain log

Should I worry about the logging and space?

Thanks again

Mike
0
astrochimpCommented:
The logging situation is dependent on your current logging setup. Do you have a server where all the devices dump their logs? Do you even have logging enabled? If you don't, there's no use putting it there.

ip access-list extended RX_PC
 remark ###### Allow HTTP & HTTPS
 permit tcp host <IP> any eq www log
 permit tcp host <IP> any eq 443 log
 permit tcp host <IP> any gt 1024 
 permit tcp host <IP> 30 (don't want to reveal? is that the last octet?) any eq 6129 log
 permit tcp host <IP> any eq echo log
 remark ###### Allow DNS
 permit tcp host <IP> any eq domain log
 permit udp host <IP> any eq domain log (DNS can be both TCP and UDP)

Open in new window

0
mbarnesseoAuthor Commented:
got me...

that is part of the last octet...    

I know it will be very hard for someone to get into our PCs from the outside [not impossible but very unlikely - I liked the picture that compared firewalls to bulletproof vest...] Since I work at a medical facility, I don't like giving IP address unless absolutely needed...

Of course I must of done something cause now I cannot contact that machine...   [although I think it was a mistype on the gateway...]  I really dislike fat finger mistakes...

Thanks everyone...

Mike
0
mbarnesseoAuthor Commented:
Thank you everyone...

I hope the point spread works for you.  I used bits from everyone's response but astrochimp gave really good followup.

Thanks again
Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.