Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access list to permit connection to remote site based on communication type.

Hello expert,

I have a member server in my remote branch (ip 10.40.10.10)

The branch is connected to central office via two links:-

  • •(1) 100 (mb ) wireless line and (2) 1 (mb) ip-dsl line.

The default (primary connection) is the wireless and the backup (failover) is the ip-dsl.

I would be appreciate if anyone can provide guidance how to create an access list

to allow a group of users (sec_group) stationed at central office to access files on the remote server only

when the communication is on wireless, if the wireless fails and ip_dsl is active the group of users(sec_group)

should not be allow to connect to the member server.

To summaries, if connection is wireless allow sec_group to connect.

If connection is ip_dsl disallow sec_group to connect if connected drop connection.

Regards

Jomo

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

access list to permit connection to remote site based on communi

Jomo

I think that this access list is fine, assuming that 10.40.10.10 is the correct address for the single server for which you want to control access and that sec_group does accurately include the correct members of the security group. This access list would be applied outbound on the dsl interface at the central site.

HTH

Rick

8 REPLIES

access list to permit connection to remote site based on communi

Jomo,

To clarify, you're wanting users at the central location to only access the member server at the branch site when the wireless is up? How is your routing set up between the 2 sites?

You could set up an eem script to apply an acl to the dsl site to deny those users inbound when the wireless link goes down.

John

HTH, John *** Please rate all useful posts ***

access list to permit connection to remote site based on communi

An IP-SLA and track condition can be used in this case.  

What is the central office, user's ip segment?

thanks

Hall of Fame Super Silver

access list to permit connection to remote site based on communi

It seems to me that EEM scripts and IP SLA are very nice very sophisticated possible solutions. But it seems to me that there is perhaps a more simple solution. I would assume that traffic that is over wireless is on one layer 3 interface and traffic over the dsl is over a different layer 3 interface. In this case it would seem that an access list placed on the dsl interface could deny traffic from the sec group to the server and permit other traffic and would accomplish the objective.

HTH

Rick

Re: access list to permit connection to remote site based on com

Hehe.. And then there's that I over think sometimes...

HTH, John *** Please rate all useful posts ***
New Member

access list to permit connection to remote site based on communi

Hello Richard,

I like your suggestion i have enclose the two interface, I would be very grateful if you can provide an example of the access list using the info provided in the post.

interface GigabitEthernet0/0

description Wireless Interface

ip address 10.xxx.xxx.113 255.255.255.0

duplex auto

speed auto

interface GigabitEthernet0/1

description IP_DSL Interface

ip address 10.xx.xx.13 255.255.255.0

duplex auto

speed auto

Regards

New Member

access list to permit connection to remote site based on communi

hello Richard,

 

Below is an access list i created to be applied to the ip_dsl interface

In the object-group i include the list of users, Since the group of user reside at the central site i will apply same the

central site ip_dsl interface.

ip access-list extended No_Ip_Dsl_ACC

deny   ip object-group sec_group host 10.40.10.10

permit ip any any

Could you please  vet this access-list and see if it is okay.

Regards.

Jomo

New Member

access list to permit connection to remote site based on communi

Hello Richard,

Could you please vet same(previous post) and provide a feedback

Regards

Hall of Fame Super Silver

access list to permit connection to remote site based on communi

Jomo

I think that this access list is fine, assuming that 10.40.10.10 is the correct address for the single server for which you want to control access and that sec_group does accurately include the correct members of the security group. This access list would be applied outbound on the dsl interface at the central site.

HTH

Rick

346
Views
0
Helpful
8
Replies
CreatePlease login to create content