Solved

Cisco ACL's - Guest Network to Internet Only

Posted on 2013-01-23
9
2,582 Views
Last Modified: 2013-01-23
Hey All,

Just wondering if someone could help me with my ACL.

I have 4 VLANS

1 = Switch Management
2 = SERVERS
4 = Admin
6 = Curric
8 = Guest

10.1.0.1 is our Internet

255.255.254.0 is the subnet Mask

10.0.2.2 is our DHCP Server

This ACL is just for allowing connection to the Internet only.

Now I have other Servers which I do not want them getting access to but for some reason they can and I am not sure why? The rest of my servers are 10.0.2.3 - 10.0.2.20

Is there away I can block that range 10.0.2.3 - 10.0.2.20?



remark GUEST NETWORK ACCESS, ONLY TO INTERNET
permit udp any eq bootpc any eq bootps
permit udp 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.0 eq domain
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 any
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.3
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.4
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.5
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.6
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.7
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.8
0
Comment
Question by:dan4132
  • 5
  • 4
9 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38809627
in your internet acl

put

deny ip 10.0.2.3 0.0.0.17 host 10.1.0.1
permit ip any host 10.1.0.1
0
 
LVL 3

Author Comment

by:dan4132
ID: 38809701
Heya,

I put that last line in and they can still access 10.0.2.3 - 20
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38809746
show me your current  internet ACL and mention from where (host) you want to reach (dest)?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 3

Author Comment

by:dan4132
ID: 38809842
This is my current ACL: (I added your bit at the bottom as well)

remark GUEST NETWORK ACCESS, ONLY TO INTERNET
permit udp any eq bootpc any eq bootps
permit udp 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.0 eq domain
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 any
deny ip 10.0.8.0 0.0.0.255 10.0.2.3 0.0.0.17
deny ip 10.0.2.3 0.0.0.17 host 10.1.0.1
permit ip any host 10.1.0.1


The Guest Vlan is 8 (10.0.8.0 - 10.0.9.254 / 255.255.254.0)

I want to be able to get a DHCP address from 10.0.2.2

I don't want vlan 8 talking to Vlan 4 or 6 (10.0.4.0 - 10.0.7.254)

I don't want vlan 8 to talk to anything else on the Server Vlan 2 apart from the one DHCP host on 10.0.2.2.

I want Vlan 8 to be able to talk to 10.1.0.1
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38809876
okay let start with DCHP..i guess you put " ip helper-address 10.0.2.2"

are you using any acls at LAN side.

and we are talking about interent ACL are you using it at WAN interface which have IP address of 10.1.0.1 .

If my QA doest match then I think I am missing some thing so please send complete config of your router  please?
0
 
LVL 3

Author Comment

by:dan4132
ID: 38809968
Sorry I think I have confused you.

I have done all the Router Configs and Switch configs and they are all working fine.. so yes my ip helper-address 10.0.2.2 is on Vlan 8.

At the moment every Vlan can talk to each other and I do not want this to happen as some VLANS are private.

So that is why I would like to use ACL's to control this.

Vlan 8 is what I am going to use for Guest Access on the Network and I do not want it to talk to anything else but 10.0.2.2 and 10.1.0.1. So I need to stop 10.0.8.0 talking to:

10.0.2.3-20
&
10.0.4.0 - 10.0.7.254



Current Config:

Current configuration : 3562 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CORESW
!
no logging console
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 description to DC2
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 description to HYPER-V
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 description to FINANCE
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 description to DC1
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 description to XSERVE
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 description to ESPRESSO
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 shutdown
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 description to SONICWALL
 no switchport
 ip address 10.1.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/24
 description to KS1SW
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
 description to ICTSW
 switchport trunk allowed vlan 1-2,4,6,8
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 description to KS2SW
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 description MANAGEMENT
 ip address 10.0.0.1 255.255.254.0
!
interface Vlan2
 description SERVERS/DEVICES/PRINTERS
 ip address 10.0.2.1 255.255.254.0
!
interface Vlan4
 description Admin Staff Vlan
 ip address 10.0.4.1 255.255.254.0
 ip helper-address 10.0.2.2
!
interface Vlan6
 description Curric Vlan
 ip address 10.0.6.1 255.255.254.0
 ip helper-address 10.0.2.2
!
interface Vlan8
 description Guest Vlan
 ip address 10.0.8.1 255.255.254.0
 ip helper-address 10.0.2.2
 ip access-group 100 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.0.2
!
!
access-list 100 remark GUEST NETWORK ACCESS, ONLY TO INTERNET
access-list 100 permit udp any eq bootpc any eq bootps
access-list 100 permit udp 10.0.8.0 0.0.0.255 host 10.0.2.2 eq domain
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
access-list 100 permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 10.0.8.0 0.0.0.255 any
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.17
!
!
!
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
ntp server 10.0.2.2 key 0
!
end
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38810057
Ok..I got..i have your config ready..just one more clarification

"Is there away I can block that range 10.0.2.3 - 10.0.2.20?"

Whre you want t block it?
0
 
LVL 9

Accepted Solution

by:
Sandeep Gupta earned 500 total points
ID: 38810093
nevermind

try this

access-list 100 remark GUEST NETWORK ACCESS, ONLY TO INTERNET
access-list 100 permit udp any eq bootpc any eq bootps
access-list 100 permit udp 10.0.8.0 0.0.0.255 host 10.0.2.2 eq domain
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
access-list 100 permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 deny ip any any
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 38810115
Perfect!! Thanks so much for your help
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
creating SVI on layer 3 switch 1 51
Netflix streaming problem 18 62
Unidentified Network 12 54
Change SSH password on Cisco 4331 ISR 4 26
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question