netcmh
asked on
Easy Cisco 1841 ACL requirement
Good morning all,
I'm having a brain $#@!, probably because of lack of caffiene.
Typical HO and branch situation connected over MPLS.
I would like to restrict access to a device inside a branch only to workstations inside that branch. It shouldn't be accessible from anywhere else.
I know this is easy, but I can't get to it right away. HELP!!! :)
Thanks in advance.
I'm having a brain $#@!, probably because of lack of caffiene.
Typical HO and branch situation connected over MPLS.
I would like to restrict access to a device inside a branch only to workstations inside that branch. It shouldn't be accessible from anywhere else.
I know this is easy, but I can't get to it right away. HELP!!! :)
Thanks in advance.
ASKER
What was I thinking?
has to be an extended
access-list 102 permit ip 10.10.10..0 0.0.0.255 host 10.10.10.150
access-list 102 deny any
Is this it?
has to be an extended
access-list 102 permit ip 10.10.10..0 0.0.0.255 host 10.10.10.150
access-list 102 deny any
Is this it?
On the branch router something like:
access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 101 permit ip any any
192.168.1.0 being the HO range and 192.168.2.1 being the branch machine.
access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 101 permit ip any any
192.168.1.0 being the HO range and 192.168.2.1 being the branch machine.
So the other way round, first block access to that specific machine and after that allow the rest.
ASKER
But, what about any other branch. Sorry, should have said typical HO and branches situation.
ASKER
I tried the:
access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
But, I can still access the device from HO.
access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
But, I can still access the device from HO.
Well if these use contiguous IP ranges you could try to catch all of them in one or two ACL lines.
But can you get from one branche to another (like fully meshed) or can you only get from a branch to HO and vice versa?
But can you get from one branche to another (like fully meshed) or can you only get from a branch to HO and vice versa?
I tried the:
access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
You did use the correct IP ranges for your situation did you?
access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
You did use the correct IP ranges for your situation did you?
And you did apply the ACL to the outside interface of the branch router?
ASKER
:)
Yes, fully meshed
Yes, my own ranges :) I'm not *that* out of it :)
No, I didn't apply it to the outside interface :)
so?
int outside
ip access-group 101 in or out?
Thanks
Yes, fully meshed
Yes, my own ranges :) I'm not *that* out of it :)
No, I didn't apply it to the outside interface :)
so?
int outside
ip access-group 101 in or out?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yup, that works :)
Is there an elegant way of doing the rest of the branches?
branch 3: 10.10.30.0 255.255.255.0
branch 4: 10.10.40.0 255.255.255.0
branch 5: 10.10.50.0 255.255.255.0
etc...
branch 21: 10.10.210.0 255.255.255.0
Is there an elegant way of doing the rest of the branches?
branch 3: 10.10.30.0 255.255.255.0
branch 4: 10.10.40.0 255.255.255.0
branch 5: 10.10.50.0 255.255.255.0
etc...
branch 21: 10.10.210.0 255.255.255.0
Let me see, I assume HO is 10.10.10.0 and branch 1 (where that machine is in) is 10.10.20.0?
And the subnet ranges in between are not being used?
And the subnet ranges in between are not being used?
ASKER
correct
ASKER
there's also 4 branches at 10.10.6.0 - 10.10.9.0
ASKER
are you thinking wildcards? 0.0.1.255, 0.0.3.255, 0.0.7.255, 0.0.15.255 ?
Then
access-list 101 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.x
access-list 101 deny ip 10.10.30.0 0.0.1.255 host 10.10.20.x
access-list 101 deny ip 10.10.32.0 0.0.31.255 host 10.10.20.x
access-list 101 deny ip 10.10.64.0 0.0.63.255 host 10.10.20.x
access-list 101 deny ip 10.10.128.0 0.0.127.255 host 10.10.20.x
Should effectively block everything to that host.
access-list 101 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.x
access-list 101 deny ip 10.10.30.0 0.0.1.255 host 10.10.20.x
access-list 101 deny ip 10.10.32.0 0.0.31.255 host 10.10.20.x
access-list 101 deny ip 10.10.64.0 0.0.63.255 host 10.10.20.x
access-list 101 deny ip 10.10.128.0 0.0.127.255 host 10.10.20.x
Should effectively block everything to that host.
there's also 4 branches at 10.10.6.0 - 10.10.9.0
Ok wait, let me adjust.
Ok wait, let me adjust.
And again:
access-list 101 deny ip 10.10.10.0 0.0.15.255 host 10.10.20.x
access-list 101 deny ip 10.10.30.0 0.0.1.255 host 10.10.20.x
access-list 101 deny ip 10.10.32.0 0.0.31.255 host 10.10.20.x
access-list 101 deny ip 10.10.64.0 0.0.63.255 host 10.10.20.x
access-list 101 deny ip 10.10.128.0 0.0.127.255 host 10.10.20.x
The only range not being covered here is:
10.10.16.0-10.10.29.255
access-list 101 deny ip 10.10.10.0 0.0.15.255 host 10.10.20.x
access-list 101 deny ip 10.10.30.0 0.0.1.255 host 10.10.20.x
access-list 101 deny ip 10.10.32.0 0.0.31.255 host 10.10.20.x
access-list 101 deny ip 10.10.64.0 0.0.63.255 host 10.10.20.x
access-list 101 deny ip 10.10.128.0 0.0.127.255 host 10.10.20.x
The only range not being covered here is:
10.10.16.0-10.10.29.255
Of course if nothing else is going through that router (only branch and HO traffic), we could also say:
access-list 101 deny ip any host 10.10.20.x
access-list 101 deny ip any host 10.10.20.x
ASKER
So, a wildcard approach.
I was wondering about object groups but I'm running 12.4(13). Object groups came out in 20.
Wonderful.
Thanks for all your help.
I was wondering about object groups but I'm running 12.4(13). Object groups came out in 20.
Wonderful.
Thanks for all your help.
My pleasure. Make sure to get some coffee :)
Thx 4 the points.
Thx 4 the points.
ASKER
access-list 21 permit ip 10.10.10..0 0.0.0.255 host 10.10.10.150
access-list 21 deny any
?