[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 830
  • Last Modified:

Easy Cisco 1841 ACL requirement

Good morning all,

I'm having a brain $#@!, probably because of lack of caffiene.

Typical HO and branch situation connected over MPLS.

I would like to restrict access to a device inside a branch only to workstations inside that branch. It shouldn't be accessible from anywhere else.

I know this is easy, but I can't get to it right away. HELP!!! :)

Thanks in advance.
0
netcmh
Asked:
netcmh
  • 12
  • 10
1 Solution
 
netcmhAuthor Commented:
Is it as simple as:

access-list 21 permit ip 10.10.10..0 0.0.0.255 host 10.10.10.150
access-list 21 deny any

?
0
 
netcmhAuthor Commented:
What was I thinking?

has to be an extended

access-list 102 permit ip 10.10.10..0 0.0.0.255 host 10.10.10.150
access-list 102 deny any

Is this it?
0
 
Ernie BeekCommented:
On the branch router something like:

access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 101 permit ip any any

192.168.1.0 being the HO range and 192.168.2.1 being the branch machine.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
Ernie BeekCommented:
So the other way round, first block access to that specific machine and after that allow the rest.
0
 
netcmhAuthor Commented:
But, what about any other branch. Sorry, should have said typical HO and branches situation.
0
 
netcmhAuthor Commented:
I tried the:

access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1

But, I can still access the device from HO.
0
 
Ernie BeekCommented:
Well if these use contiguous IP ranges you could try to catch all of them in one or two ACL lines.

But can you get from one branche to another (like fully meshed) or can you only get from a branch to HO and vice versa?
0
 
Ernie BeekCommented:
I tried the:

access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1


You did use the correct IP ranges for your situation did you?
0
 
Ernie BeekCommented:
And you did apply the ACL to the outside interface of the branch router?
0
 
netcmhAuthor Commented:
:)

Yes, fully meshed

Yes, my own ranges :) I'm not *that* out of it :)

No, I didn't apply it to the outside interface :)

so?

int outside
ip access-group 101 in or out?

Thanks
0
 
Ernie BeekCommented:
:) Have a coffee on me later on ;)

Try ip access-group 101 in
0
 
netcmhAuthor Commented:
Yup, that works :)

Is there an elegant way of doing the rest of the branches?

branch 3: 10.10.30.0 255.255.255.0
branch 4: 10.10.40.0 255.255.255.0
branch 5: 10.10.50.0 255.255.255.0

etc...

branch 21: 10.10.210.0 255.255.255.0
0
 
Ernie BeekCommented:
Let me see, I assume HO is 10.10.10.0 and branch 1 (where that machine is in) is 10.10.20.0?
And the subnet ranges in between are not being used?
0
 
netcmhAuthor Commented:
correct
0
 
netcmhAuthor Commented:
there's also 4 branches at 10.10.6.0 - 10.10.9.0
0
 
netcmhAuthor Commented:
are you thinking wildcards? 0.0.1.255, 0.0.3.255, 0.0.7.255, 0.0.15.255 ?
0
 
Ernie BeekCommented:
Then

access-list 101 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.x
access-list 101 deny ip 10.10.30.0 0.0.1.255 host 10.10.20.x
access-list 101 deny ip 10.10.32.0 0.0.31.255 host 10.10.20.x
access-list 101 deny ip 10.10.64.0 0.0.63.255 host 10.10.20.x
access-list 101 deny ip 10.10.128.0 0.0.127.255 host 10.10.20.x


Should effectively block everything to that host.
0
 
Ernie BeekCommented:
there's also 4 branches at 10.10.6.0 - 10.10.9.0

Ok wait, let me adjust.
0
 
Ernie BeekCommented:
And again:

access-list 101 deny ip 10.10.10.0 0.0.15.255 host 10.10.20.x
access-list 101 deny ip 10.10.30.0 0.0.1.255 host 10.10.20.x
access-list 101 deny ip 10.10.32.0 0.0.31.255 host 10.10.20.x
access-list 101 deny ip 10.10.64.0 0.0.63.255 host 10.10.20.x
access-list 101 deny ip 10.10.128.0 0.0.127.255 host 10.10.20.x


The only range not being covered here is:
10.10.16.0-10.10.29.255
0
 
Ernie BeekCommented:
Of course if nothing else is going through that router (only branch and HO traffic), we could also say:
access-list 101 deny ip any host 10.10.20.x
0
 
netcmhAuthor Commented:
So, a wildcard approach.

I was wondering about object groups but I'm running 12.4(13). Object groups came out in 20.

Wonderful.

Thanks for all your help.
0
 
Ernie BeekCommented:
My pleasure. Make sure to get some coffee :)
Thx 4 the points.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 12
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now