Solved: Access restriction via vlan

rhltechie · ‎03-15-2006

Hi All,

Can someone tell me the easiest way to restrict a vlan to only be able to access the internet. Basically I would like to an area for vendors to plug in and be able to access the internet, but not my internal network.

TIA,

R

pkhatri · ‎03-15-2006

Hi,

That will not quite work. The destination address of the traffic will not be the default gateway address - the traffic is sent to the default gateway but the actual destination IP address is that of wherever it is going.

One way of restricting this traffic is to deny all traffic from this network to your internal network and then open up a few ports to the Internet:

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq www

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq telnet

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq smtp

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any pop3

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 21

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 20

However, FTP will not work too well with the above because of the way FTP uses dynamic ports. An alternative is to block all traffic from this subnet to your internal networks and permit everything else:

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 permit ip 192.168.70.0 0.0.0.255 any

Hope that helps - pls rate the post if it does.

Paresh

View solution in original post

Roberto Salazar · ‎03-15-2006

That will be creating an access list that will only allow traffic from this vendor network to the internet.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c0.html#wp1001140

rhltechie · ‎03-15-2006

Thanks for your reply. I figured this was the case, but wanted to make sure.

i am new to ACL, can I do this?

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq www

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq telnet

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq smtp

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 pop3

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq 21

access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq 20

To allow all hosts on the 192.168.70.0/24 network access to HTTP, Telnet, Mail, POP3, and FTP destined for the host ip of 192.168.40.254 (with this being the default gateway ip)

Is there also an implicit deny all at the end without a need for me to put this?

TIA,

R

pkhatri · ‎03-15-2006

Hi,

That will not quite work. The destination address of the traffic will not be the default gateway address - the traffic is sent to the default gateway but the actual destination IP address is that of wherever it is going.

One way of restricting this traffic is to deny all traffic from this network to your internal network and then open up a few ports to the Internet:

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq www

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq telnet

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq smtp

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any pop3

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 21

access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 20

However, FTP will not work too well with the above because of the way FTP uses dynamic ports. An alternative is to block all traffic from this subnet to your internal networks and permit everything else:

access-list 102 deny ip 192.168.70.0 0.0.0.255

access-list 102 permit ip 192.168.70.0 0.0.0.255 any

Hope that helps - pls rate the post if it does.

Paresh

rhltechie · ‎03-15-2006

ah! many thanks to you! again!