Re: VLAN pool need to deny access to LAN

wrathyimp · ‎12-05-2011

Hi,

I am creating a VLAN pool, for guest users to access internet only.

How can i deny access to all the local lan VLANs?

My Guest VLAN subnet is 192.168.9.0

So i need to deny access to all the VLANs:

192.168.1.0

192.168.2.0

192.168.3.0

192.168.4.0

192.168.5.0

192.168.6.0

192.168.7.0

192.168.8.0

I have tried the following access-list configuration:

access-list 127 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.7

access-list 127 permit ip 192.168.9.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 127 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255

access-list 127 permit ip any any

But it didnt work, as i couldnt ping any local lan ips, nor browse any website.

Thanks

JohnTylerPearce · ‎12-05-2011

Well if you have an SVI created for this vlan you can do the following. I'm assuming all unknown routes go out your

Internet default gateway?

int vlan x

ip address 192.168.9.1 255.255.255.0 (I'm just using .1 as an example, I don't know what your gateway is numbered)

access-group in 111

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 111 extended permit ip any any

EDIT:

---------

Is this an ASA by any chance? Also, what direction and interface do you have this associated with?

hahaha, sorry I had brainfart with my config... Freakin monday mornings.

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255 log

The poster below is correct as well.

wrathyimp · ‎12-05-2011

Thanks John,

My Internet Gateway is 192.168.1.6 (my firewall)

This is a switch 4503.

I will update you after tring these rules

wrathyimp · ‎12-05-2011

Its only deny access to 192.168.8.0 subnet, but i can access all other subnets

So should i repeat the second command for all other subnets

Latchum Naidu · ‎12-05-2011

Hi,

You need to denay all the required subnets and in last give permit any any like below...

ip access-list exte Guest_access
deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
permit ip any any

Like above if you need to add any other subnets those should not be accessible from Guest vlan can do like above by adding deny ip any xxxxx command. But make sure you keep that permit ip any any at last.

int vlan Guest
ip access-group Guest_access in

Please rate the helpfull posts.
Regards,
Naidu.

wrathyimp · ‎12-05-2011

Cant we reduce the list,

Like deny any, and give access to the internet gateway and access the same subnet (192.168.9.0)

JohnTylerPearce · ‎12-05-2011

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255 log

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 111 extended permit ip any any

Try again again, I messed up my earlier config

Latchum Naidu · ‎12-05-2011

Hi,

Yeah, you can use subnet...

deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255
permit ip any any

Please rate the helpfull posts.
Regards,
Naidu.

wrathyimp · ‎12-05-2011

So I just need to add the following rule:

deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255

permit ip any any

But its giving error at 192.168.9.0 after any.

and if i give the following rules, there is no changes on my vlan access:

Extended IP access list 127

10 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log

20 deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255 (14 matches)

30 permit ip any any (1 match)

Latchum Naidu · ‎12-05-2011

Hi,

Sorry it was typo.
The rule should be like below...

deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255
permit ip any any

Please rate the helpfull posts.
Regards,
Naidu.

wrathyimp · ‎12-06-2011

Its like totally bloacked all accesses

I cant get the internet access.

JohnTylerPearce · ‎12-06-2011

Are you putting this ACL in the inbound direction on that VLAN?

FE

-----

int vlan 200

access-group 10 in

Can you ping the default gateway for 192.168.9.0/24 network?

deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255

This statement will block access for the 192.168.9.0/24 network to 192.168.1.0 up to 192.168.15.254.

wrathyimp · ‎12-06-2011

Yes, its blocking 192.168.9.1 (default gateway)

But perivously i tried:

Extended IP access list 127

10 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log

20 deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255 (14 matches)

30 permit ip any any (1 match)

It didnt block anything.

JohnTylerPearce · ‎12-06-2011

Yeah that was incorrect on my part. Try the following.

access-list 111 extended deny 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255

access-list 111 extended deny 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 111 extended permit ip any any

That should block everything from 192.168.0.0 - 192.168.8.255

Everything else it permitted.

So it will block the 192.168.0.0/24 network (I don't know if that's a problem for you or not)

ip access-list exte Guest_access

deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip any any

What Latchum saida will work as well, but I know you want to cut down

on list size.

Latchum Naidu · ‎12-06-2011

Hi,

When you want few of the networks block then you have to follow what I suggested. Because if you want cut it down by using subnet then the main network (192.168.9.0) will fall under that subnet.

Please rate the helpfull posts.
Regards,
Naidu.