×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access restriction via vlan

Answered Question

Hi All,


Can someone tell me the easiest way to restrict a vlan to only be able to access the internet. Basically I would like to an area for vendors to plug in and be able to access the internet, but not my internal network.


TIA,


R

Correct Answer by pkhatri about 11 years 5 months ago

Hi,


That will not quite work. The destination address of the traffic will not be the default gateway address - the traffic is sent to the default gateway but the actual destination IP address is that of wherever it is going.


One way of restricting this traffic is to deny all traffic from this network to your internal network and then open up a few ports to the Internet:


access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq www

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq telnet

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq smtp

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any pop3

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 21

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 20


However, FTP will not work too well with the above because of the way FTP uses dynamic ports. An alternative is to block all traffic from this subnet to your internal networks and permit everything else:


access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 permit ip 192.168.70.0 0.0.0.255 any



Hope that helps - pls rate the post if it does.


Paresh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.

Thanks for your reply. I figured this was the case, but wanted to make sure.


i am new to ACL, can I do this?


access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq www

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq telnet

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq smtp

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 pop3

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq 21

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq 20


To allow all hosts on the 192.168.70.0/24 network access to HTTP, Telnet, Mail, POP3, and FTP destined for the host ip of 192.168.40.254 (with this being the default gateway ip)


Is there also an implicit deny all at the end without a need for me to put this?


TIA,


R

Correct Answer
pkhatri Wed, 03/15/2006 - 17:45
User Badges:
  • Purple, 4500 points or more

Hi,


That will not quite work. The destination address of the traffic will not be the default gateway address - the traffic is sent to the default gateway but the actual destination IP address is that of wherever it is going.


One way of restricting this traffic is to deny all traffic from this network to your internal network and then open up a few ports to the Internet:


access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq www

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq telnet

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq smtp

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any pop3

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 21

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 20


However, FTP will not work too well with the above because of the way FTP uses dynamic ports. An alternative is to block all traffic from this subnet to your internal networks and permit everything else:


access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 permit ip 192.168.70.0 0.0.0.255 any



Hope that helps - pls rate the post if it does.


Paresh

Actions

This Discussion