• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3045
  • Last Modified:

Cisco ACL's - Guest Network to Internet Only

Hey All,

Just wondering if someone could help me with my ACL.

I have 4 VLANS

1 = Switch Management
2 = SERVERS
4 = Admin
6 = Curric
8 = Guest

10.1.0.1 is our Internet

255.255.254.0 is the subnet Mask

10.0.2.2 is our DHCP Server

This ACL is just for allowing connection to the Internet only.

Now I have other Servers which I do not want them getting access to but for some reason they can and I am not sure why? The rest of my servers are 10.0.2.3 - 10.0.2.20

Is there away I can block that range 10.0.2.3 - 10.0.2.20?



remark GUEST NETWORK ACCESS, ONLY TO INTERNET
permit udp any eq bootpc any eq bootps
permit udp 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.0 eq domain
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 any
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.3
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.4
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.5
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.6
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.7
deny ip 10.0.8.0 0.0.0.255 host 10.0.2.8
0
dan4132
Asked:
dan4132
  • 5
  • 4
1 Solution
 
Sandeep GuptaConsultantCommented:
in your internet acl

put

deny ip 10.0.2.3 0.0.0.17 host 10.1.0.1
permit ip any host 10.1.0.1
0
 
dan4132Author Commented:
Heya,

I put that last line in and they can still access 10.0.2.3 - 20
0
 
Sandeep GuptaConsultantCommented:
show me your current  internet ACL and mention from where (host) you want to reach (dest)?
0
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

 
dan4132Author Commented:
This is my current ACL: (I added your bit at the bottom as well)

remark GUEST NETWORK ACCESS, ONLY TO INTERNET
permit udp any eq bootpc any eq bootps
permit udp 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.0 eq domain
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.8.0 0.0.0.255 any
deny ip 10.0.8.0 0.0.0.255 10.0.2.3 0.0.0.17
deny ip 10.0.2.3 0.0.0.17 host 10.1.0.1
permit ip any host 10.1.0.1


The Guest Vlan is 8 (10.0.8.0 - 10.0.9.254 / 255.255.254.0)

I want to be able to get a DHCP address from 10.0.2.2

I don't want vlan 8 talking to Vlan 4 or 6 (10.0.4.0 - 10.0.7.254)

I don't want vlan 8 to talk to anything else on the Server Vlan 2 apart from the one DHCP host on 10.0.2.2.

I want Vlan 8 to be able to talk to 10.1.0.1
0
 
Sandeep GuptaConsultantCommented:
okay let start with DCHP..i guess you put " ip helper-address 10.0.2.2"

are you using any acls at LAN side.

and we are talking about interent ACL are you using it at WAN interface which have IP address of 10.1.0.1 .

If my QA doest match then I think I am missing some thing so please send complete config of your router  please?
0
 
dan4132Author Commented:
Sorry I think I have confused you.

I have done all the Router Configs and Switch configs and they are all working fine.. so yes my ip helper-address 10.0.2.2 is on Vlan 8.

At the moment every Vlan can talk to each other and I do not want this to happen as some VLANS are private.

So that is why I would like to use ACL's to control this.

Vlan 8 is what I am going to use for Guest Access on the Network and I do not want it to talk to anything else but 10.0.2.2 and 10.1.0.1. So I need to stop 10.0.8.0 talking to:

10.0.2.3-20
&
10.0.4.0 - 10.0.7.254



Current Config:

Current configuration : 3562 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CORESW
!
no logging console
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 description to DC2
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 description to HYPER-V
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 description to FINANCE
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 description to DC1
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 description to XSERVE
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 description to ESPRESSO
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 shutdown
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 description to SONICWALL
 no switchport
 ip address 10.1.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/24
 description to KS1SW
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
 description to ICTSW
 switchport trunk allowed vlan 1-2,4,6,8
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 description to KS2SW
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 description MANAGEMENT
 ip address 10.0.0.1 255.255.254.0
!
interface Vlan2
 description SERVERS/DEVICES/PRINTERS
 ip address 10.0.2.1 255.255.254.0
!
interface Vlan4
 description Admin Staff Vlan
 ip address 10.0.4.1 255.255.254.0
 ip helper-address 10.0.2.2
!
interface Vlan6
 description Curric Vlan
 ip address 10.0.6.1 255.255.254.0
 ip helper-address 10.0.2.2
!
interface Vlan8
 description Guest Vlan
 ip address 10.0.8.1 255.255.254.0
 ip helper-address 10.0.2.2
 ip access-group 100 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.0.2
!
!
access-list 100 remark GUEST NETWORK ACCESS, ONLY TO INTERNET
access-list 100 permit udp any eq bootpc any eq bootps
access-list 100 permit udp 10.0.8.0 0.0.0.255 host 10.0.2.2 eq domain
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.4.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.5.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.6.0 0.0.0.255
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.7.0 0.0.0.255
access-list 100 permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 10.0.8.0 0.0.0.255 any
access-list 100 deny ip 10.0.8.0 0.0.0.255 10.0.2.2 0.0.0.17
!
!
!
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
ntp server 10.0.2.2 key 0
!
end
0
 
Sandeep GuptaConsultantCommented:
Ok..I got..i have your config ready..just one more clarification

"Is there away I can block that range 10.0.2.3 - 10.0.2.20?"

Whre you want t block it?
0
 
Sandeep GuptaConsultantCommented:
nevermind

try this

access-list 100 remark GUEST NETWORK ACCESS, ONLY TO INTERNET
access-list 100 permit udp any eq bootpc any eq bootps
access-list 100 permit udp 10.0.8.0 0.0.0.255 host 10.0.2.2 eq domain
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.2
access-list 100 permit ip 10.0.8.0 0.0.0.255 host 10.0.2.1
access-list 100 permit ip 10.0.8.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 deny ip any any
0
 
dan4132Author Commented:
Perfect!! Thanks so much for your help
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now