03-15-2006 08:50 AM - edited 03-03-2019 02:18 AM
Hi All,
Can someone tell me the easiest way to restrict a vlan to only be able to access the internet. Basically I would like to an area for vendors to plug in and be able to access the internet, but not my internal network.
TIA,
R
Solved! Go to Solution.
03-15-2006 05:45 PM
Hi,
That will not quite work. The destination address of the traffic will not be the default gateway address - the traffic is sent to the default gateway but the actual destination IP address is that of wherever it is going.
One way of restricting this traffic is to deny all traffic from this network to your internal network and then open up a few ports to the Internet:
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq www
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq telnet
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq smtp
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any pop3
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 21
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 20
However, FTP will not work too well with the above because of the way FTP uses dynamic ports. An alternative is to block all traffic from this subnet to your internal networks and permit everything else:
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 permit ip 192.168.70.0 0.0.0.255 any
Hope that helps - pls rate the post if it does.
Paresh
03-15-2006 08:58 AM
That will be creating an access list that will only allow traffic from this vendor network to the internet.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
03-15-2006 09:58 AM
Thanks for your reply. I figured this was the case, but wanted to make sure.
i am new to ACL, can I do this?
access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq www
access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq telnet
access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq smtp
access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 pop3
access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq 21
access-list 102 permit tcp 192.168.70.0 0.0.0.255 host 192.168.40.254 eq 20
To allow all hosts on the 192.168.70.0/24 network access to HTTP, Telnet, Mail, POP3, and FTP destined for the host ip of 192.168.40.254 (with this being the default gateway ip)
Is there also an implicit deny all at the end without a need for me to put this?
TIA,
R
03-15-2006 05:45 PM
Hi,
That will not quite work. The destination address of the traffic will not be the default gateway address - the traffic is sent to the default gateway but the actual destination IP address is that of wherever it is going.
One way of restricting this traffic is to deny all traffic from this network to your internal network and then open up a few ports to the Internet:
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq www
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq telnet
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq smtp
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any pop3
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 21
access-list 102 permit tcp 192.168.70.0 0.0.0.255 any eq 20
However, FTP will not work too well with the above because of the way FTP uses dynamic ports. An alternative is to block all traffic from this subnet to your internal networks and permit everything else:
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 deny ip 192.168.70.0 0.0.0.255
access-list 102 permit ip 192.168.70.0 0.0.0.255 any
Hope that helps - pls rate the post if it does.
Paresh
03-15-2006 06:01 PM
ah! many thanks to you! again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide