Interface access-list on Cisco 4506

thornick · ‎11-15-2011

I have one computer connected to the 4506 that management does not want this pc to have access to anything on our network except our DHCP server and the one printer that resides on our network. I created an extended access list as follows. Our network is the 10.10.x.x and the external addresses the pc needs to access is 11.1.x.x. Once this pc is rebooted, it is unable to access DHCP to get the needed IP address it bounces back to a 169.x.x.x address and stops working.

Extended IP access list 2000

permit tcp host 10.10.200.242 host 11.1.200.1 (gateway)

permit tcp host 10.10.200.242 host 11.1.2.151 eq smtp (access from the pc to external server for smtp)

permit tcp host 10.10.200.242 host 11.1.2.149 eq 5721 (access from the pc to external server for remote access)

permit tcp host 10.10.200.242 host 11.1.2.149 eq www (access from the pc to the web)

permit tcp host 10.10.200.242 host 10.10.200.243 (gives pc access to the printer on our network)

permit udp host 10.10.200.242 host 10.10.201.2 eq 67 (gives pc access to our internal DHCP server)

permit udp host 10.10.200.242 host 10.10.201.2 eq 68 (gives pc access to our internal DHCP server)

Then I applied the access-group 2000 on the interface the pc is connected to.

What am I missing for DHCP to work and for this pc to always get the ip address that is reserved?

Richard Burts · ‎11-15-2011

The biggest problem in your access list is that each of the entries specifies that the source is host 10.10.200.242. But when the PC boots and attempts to access the DHCP server it has no IP address (that is why it is trying to access the DHCP server is it not?). So the source address of the DHCP request would be 0.0.0.0

HTH

Rick

HTH

Rick

thornick · ‎11-17-2011

Rick,

Thank you that makes sense, so 0.0.0.0 is only for the permits to the DHCP server, otherwise I would use the IP address 10.10.200.242 to access the outside network only. Just need to verify and do I need a deny statement at the end of the ACL.

Also for the interface I have

ip access-group 2000 in (name for the extended access list)

Is this all I need on the interface and do I need to also add the IP Relay Trusted statement?

This is actually a huge project that will be going out to many sites so I need to get it working correctly here at my central office.

Thank you

Richard Burts · ‎11-17-2011

There is an implicit deny at the end of an access list. So technically you do not need to put a deny at the end of the access list. Some people (frequently including me) do like to put the deny at the end. For one thing it makes it explicit that traffic that gets to the bottom of the access list will be denied. And with the deny configured you get a counter of how many packets have been denied. So you may configure the deny at the end or not as you choose.

There are some permit statements here that allow this host to access certain resources within your network. But I do not see anything that would allow this host to access the Internet. Probably what you should do in the access list is to permit the host access to some resources within your network, deny the host access to any other resources within your network, and then permit any.

How the address is reserved in the DHCP server so that the host always gets the same address will depend on what kind of DHCP server you are using and how it is configured. There is not anything on the 4506 that impacts this.

HTH

Rick

HTH

Rick