CISCO 3750 12.2(25) SEE2
Cisco 2950 12.1.(22) EA2
We codevelop software with teams from other companies and they come to our site to do this. With these companies we have setup Lan to Lan tunnels. So when they come we allow them to connect to our Guest network. Then they VPN into their companies and connect to a particular host on our end. It does not seem the best way to me for them to loop around like that because of our security restrictions when they are in our site.
I was thinking about letting them connect to our company LAN then configure ACLs in a switch, apply them to specific ports and allow them access only to an specific host on port 80 and 443.
If it makes any difference I will throw these 2 scenarios in:
1- destination host and guest users connected physically to ports in the same switch
2- destination host and guest users connected in different switches uplinked with switches in between . I wonder it if is needed one set of ACLs on both switches or does it matter?
Is this possible, please provide an example of how it would like in the configuration
Thanks for your help
the 2950 will not allow acl's
The way we do this here is we created a VLAN specific for vendors and contractors. Then we configured certain ports on the switch with this vlan for them to connect to. In the Layer 3 switch we created acl's to not allow access to internal resources and allow all internet traffic. We created PBR's for this and send their traffic through the firewall for inspection.
ip address 10.1.249.1 255.255.255.0
ip policy route-map VLAN249-VENDER_POLICY
ip access-list extended VLAN249-VENDOR
remark Vendor Access
deny ip 10.1.249.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.1.249.0 0.0.0.255 any
route-map VLAN249-VENDOR_POLICY permit 10
match ip address VLAN249-VENDOR
set ip default next-hop 10.254.1.10