Solved

Cisco ACL's - Guest Network to Internet Only

Posted on 2013-01-23
9
2,370 Views
Last Modified: 2013-01-23
Hey All,

Just wondering if someone could help me with my ACL.

I have 4 VLANS

1 = Switch Management
2 = SERVERS
4 = Admin
6 = Curric
8 = Guest

10.1.0.1 is our Internet

255.255.254.0 is the subnet Mask

10.0.2.2 is our DHCP Server

This ACL is just for allowing connection to the Internet only.

Now I have other Servers which I do not want them getting access to but for some reason they can and I am not sure why? The rest of my servers are 10.0.2.3 - 10.0.2.20

Is there away I can block that range 10.0.2.3 - 10.0.2.20?



remark GUEST NETWORK ACCESS, ONLY TO INTERNET
permit udp any eq bootpc any eq bootps
permit udp 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.0 eq domain
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 any
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.3
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.4
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.5
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.6
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.7
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.8
0
Comment
Question by:dan4132
  • 5
  • 4
9 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
in your internet acl

put

deny ip 10.0.2.3 0.0.0.17 host 10.1.0.1
permit ip any host 10.1.0.1
0
 
LVL 3

Author Comment

by:dan4132
Comment Utility
Heya,

I put that last line in and they can still access 10.0.2.3 - 20
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
show me your current  internet ACL and mention from where (host) you want to reach (dest)?
0
 
LVL 3

Author Comment

by:dan4132
Comment Utility
This is my current ACL: (I added your bit at the bottom as well)

remark GUEST NETWORK ACCESS, ONLY TO INTERNET
permit udp any eq bootpc any eq bootps
permit udp 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.0 eq domain
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 any
deny ip 10.0.8.0 0.0.0.255 10.0.2.3 0.0.0.17
deny ip 10.0.2.3 0.0.0.17 host 10.1.0.1
permit ip any host 10.1.0.1


The Guest Vlan is 8 (10.0.8.0 - 10.0.9.254 / 255.255.254.0)

I want to be able to get a DHCP address from 10.0.2.2

I don't want vlan 8 talking to Vlan 4 or 6 (10.0.4.0 - 10.0.7.254)

I don't want vlan 8 to talk to anything else on the Server Vlan 2 apart from the one DHCP host on 10.0.2.2.

I want Vlan 8 to be able to talk to 10.1.0.1
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
okay let start with DCHP..i guess you put " ip helper-address 10.0.2.2"

are you using any acls at LAN side.

and we are talking about interent ACL are you using it at WAN interface which have IP address of 10.1.0.1 .

If my QA doest match then I think I am missing some thing so please send complete config of your router  please?
0
 
LVL 3

Author Comment

by:dan4132
Comment Utility
Sorry I think I have confused you.

I have done all the Router Configs and Switch configs and they are all working fine.. so yes my ip helper-address 10.0.2.2 is on Vlan 8.

At the moment every Vlan can talk to each other and I do not want this to happen as some VLANS are private.

So that is why I would like to use ACL's to control this.

Vlan 8 is what I am going to use for Guest Access on the Network and I do not want it to talk to anything else but 10.0.2.2 and 10.1.0.1. So I need to stop 10.0.8.0 talking to:

10.0.2.3-20
&
10.0.4.0 - 10.0.7.254



Current Config:

Current configuration : 3562 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CORESW
!
no logging console
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 description to DC2
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 description to HYPER-V
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 description to FINANCE
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 description to DC1
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 description to XSERVE
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 description to ESPRESSO
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 shutdown
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 description to SONICWALL
 no switchport
 ip address 10.1.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/24
 description to KS1SW
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
 description to ICTSW
 switchport trunk allowed vlan 1-2,4,6,8
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 description to KS2SW
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 description MANAGEMENT
 ip address 10.0.0.1 255.255.254.0
!
interface Vlan2
 description SERVERS/DEVICES/PRINTERS
 ip address 10.0.2.1 255.255.254.0
!
interface Vlan4
 description Admin Staff Vlan
 ip address 10.0.4.1 255.255.254.0
 ip helper-address 10.0.2.2
!
interface Vlan6
 description Curric Vlan
 ip address 10.0.6.1 255.255.254.0
 ip helper-address 10.0.2.2
!
interface Vlan8
 description Guest Vlan
 ip address 10.0.8.1 255.255.254.0
 ip helper-address 10.0.2.2
 ip access-group 100 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.0.2
!
!
access-list 100 remark GUEST NETWORK ACCESS, ONLY TO INTERNET
access-list 100 permit udp any eq bootpc any eq bootps
access-list 100 permit udp 10.0.8.0 0.0.0.255 host 10.0.2.2 eq domain
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
access-list 100 permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 10.0.8.0 0.0.0.255 any
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.17
!
!
!
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
ntp server 10.0.2.2 key 0
!
end
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
Ok..I got..i have your config ready..just one more clarification

"Is there away I can block that range 10.0.2.3 - 10.0.2.20?"

Whre you want t block it?
0
 
LVL 9

Accepted Solution

by:
Sandeep Gupta earned 500 total points
Comment Utility
nevermind

try this

access-list 100 remark GUEST NETWORK ACCESS, ONLY TO INTERNET
access-list 100 permit udp any eq bootpc any eq bootps
access-list 100 permit udp 10.0.8.0 0.0.0.255 host 10.0.2.2 eq domain
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
access-list 100 permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 deny ip any any
0
 
LVL 3

Author Closing Comment

by:dan4132
Comment Utility
Perfect!! Thanks so much for your help
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now