We are in the process of adding a wireless network to the existing LAN. The requirement is that wireless clients have access to the internet, and occasionally access to the internal webserver. But, at no time should wireless clients be able to access anything on the internal LAN.
So any ACL that blocks out the LAN network would of course block out the gateway, at least that is what has seemed to happen. Here is how the networks are configured:
PIX506 (1) (63.xx.xx.xxx - 192.168.2.1) Primary business LAN
PIX506 (2) (192.168.2.30 - 192.168.3.1) Wireless Network
To date every ACL I have tried either blocks ALL access, meaning I can not access the 2.0 network, but also the internet. Or I get full access to both the internet and 2.0 network.
What I want is people on the 3.0/24 network to access the internet and one webserver on the 2.0/24 network
Here are two ACLs I have tried last:
access-list 101 permit tcp 192.168.3.0 255.255.255.0 host 192.168.2.1 255.255.255.255
access-list 101 deny tcp 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
This is the original one I tried which was given to me by some Cisco engineers, yet when this did not work they had no answers on what to do next unfortunately:
access-list 101 permit ip 192.168.3.0 0.0.0.255 host 192.168.2.4
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
Am I incorrect in thinking the PIX can do what I want it to? It seems that I should, but I just need to get the ACL down correctly.