07-11-2009 06:57 AM - edited 03-06-2019 06:42 AM
CISCO 3750 12.2(25) SEE2
Cisco 2950 12.1.(22) EA2
We codevelop software with teams from other companies and they come to our site to do this. With these companies we have setup Lan to Lan tunnels. So when they come we allow them to connect to our Guest network. Then they VPN into their companies and connect to a particular host on our end. It does not seem the best way to me for them to loop around like that because of our security restrictions when they are in our site.
I was thinking about letting them connect to our company LAN then configure ACLs in a switch, apply them to specific ports and allow them access only to an specific host on port 80 and 443.
If it makes any difference I will throw these 2 scenarios in:
1- destination host and guest users connected physically to ports in the same switch
2- destination host and guest users connected in different switches uplinked with switches in between . I wonder it if is needed one set of ACLs on both switches or does it matter?
Is this possible, please provide an example of how it would like in the configuration
Thanks for your help
John
Solved! Go to Solution.
07-12-2009 04:23 AM
the 2950 will not allow acl's
The way we do this here is we created a VLAN specific for vendors and contractors. Then we configured certain ports on the switch with this vlan for them to connect to. In the Layer 3 switch we created acl's to not allow access to internal resources and allow all internet traffic. We created PBR's for this and send their traffic through the firewall for inspection.
interface Vlan249
description VLAN249-VENDOR
ip address 10.1.249.1 255.255.255.0
ip policy route-map VLAN249-VENDER_POLICY
!
ip access-list extended VLAN249-VENDOR
remark Vendor Access
deny ip 10.1.249.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.1.249.0 0.0.0.255 any
!
route-map VLAN249-VENDOR_POLICY permit 10
match ip address VLAN249-VENDOR
set ip default next-hop 10.254.1.10
07-11-2009 04:44 PM
Hi John,
Firstly, the 2950 is a very simple switch and won't probably support ACLs.
Secondly, I don't know if your company is going to be interested, but have you considered implementing Wireless LAN technology?
Some of the features with Cisco's extensive Wireless suites are:
1. Time "bomb" guest access;
2. Each Wireless Access Point can advertise specific SSID (or VLANs);
3. Plug-n-Play (if you use the Wireless LAN Controllers);
4. And a whole lot more!
Hope this helps.
07-12-2009 04:23 AM
the 2950 will not allow acl's
The way we do this here is we created a VLAN specific for vendors and contractors. Then we configured certain ports on the switch with this vlan for them to connect to. In the Layer 3 switch we created acl's to not allow access to internal resources and allow all internet traffic. We created PBR's for this and send their traffic through the firewall for inspection.
interface Vlan249
description VLAN249-VENDOR
ip address 10.1.249.1 255.255.255.0
ip policy route-map VLAN249-VENDER_POLICY
!
ip access-list extended VLAN249-VENDOR
remark Vendor Access
deny ip 10.1.249.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.1.249.0 0.0.0.255 any
!
route-map VLAN249-VENDOR_POLICY permit 10
match ip address VLAN249-VENDOR
set ip default next-hop 10.254.1.10
07-12-2009 12:44 PM
engagerocks,
Thank you very much for your reply. Now following your example if I want those vendors to access an internal web server: 10.30.111.111 on port 443.
ip access-list extended VLAN249-VENDOR
remark Vendor Access
permit tcp 10.1.249.0 0.0.0.255 host 10.30.111.111 eq 443
deny ip 10.1.249.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.1.249.0 0.0.0.255 any
Does the above line I added accomplish it? ALso, is the PBR the route-map statement? is it really needed when the only way to go out to the Internet is thru the firewall?
Thanks for your input
07-12-2009 02:19 PM
yes you are correct.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: