need help with acl's

Unanswered Question
Jun 9th, 2008
User Badges:

Here is what I have built:


ip access-list extended QA2

10 permit ip any 10.98.6.0 0.0.1.255

20 deny ip any 192.168.0.0 0.0.7.255 log

30 deny ip any 10.98.0.0 0.0.255.255 log

40 permit tcp any any eq www

50 permit tcp any any eq smtp

60 permit tcp any any eq 443

70 permit tcp any any eq ssh


Basicaly, I want to allow the hosts on QA2 (172.16.0.0/20) access to net 10.98.6.0/23 for all proto's, and only 22,25,80 and 443 to the internet...


One side question to the above:

I have this QA2 vlan span across 2 core switches (6513's) and have setup hsrp on the 2 vlan interface (172.16.0.2 and .3) as 172.16.0.1

The switch does not have a default gateway. Not sure what I should put it as...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pipsadmin Mon, 06/09/2008 - 09:42
User Badges:

also, this should be on the Vlan interface as an access class QA2 in ... correct? closest to the source?

Richard Burts Mon, 06/09/2008 - 10:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nelson


Here are some comments about your access list:

- yes it should be applied inbound on the VLAN interface where that VLAN is located.

- it should be applied as access-group and not as access-class.

- if it is on the interface where that subnet is located I would suggest changing the source specification of "any" and change it to the subnet of that VLAN.

- you are permitting tcp access for SMTP, web, and ssh, but you are not permitting any DNS traffic. So users will have to specify everything by address and not browse by name. I doubt that is what you had in mind.


HTH


Rick

pipsadmin Mon, 06/09/2008 - 11:21
User Badges:

OUPS... fergot about the DNS, so how do I resolve that?


Also, the access group should be applied on the vlan interface as :


interface vlan 172

ip access-group QA2 out


Correct?

Richard Burts Mon, 06/09/2008 - 11:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nelson


resolve the DNS by permit udp any eq 53 any


apply as

interface vlan 172

ip access-group QA2 in


HTH


Rick

pipsadmin Mon, 06/09/2008 - 11:46
User Badges:

should'nt it be out? as it's leaving the VLAN 172 out to the MSFC, no?

Richard Burts Mon, 06/09/2008 - 11:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nelson


The access list is applied in or out from the perspective of the router/switch interface. Traffic from VLAN 172 into the switch interface is applied in. Traffic from the switch interface out to VLAN 172 is applied out.


So apply your access-group in.


HTH


Rick

Actions

This Discussion