Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Wireless ACL - Block internal access

I need to block all access from the guest wireless to our internal network. 

The following is the ACL I've come up with so far for the guest SSID. I thought seq 1 and 2 would work - 1 allow clients to communicate with DHCP and 2 block access to all internal IP addresses. I had to add seq 3 for clients to access the internet as a workaround for now. Unfortunately because of seq 3 clients can also access everything else on our internal network.. I believe the descriptions are correct. Not 100% sure. It's what I want them to do anyway. 

  • Our DHCP Windows server hands our guest wireless clients an IP address and sets their DNS to the DNS of our ISP not our internal DNS server. 

  • The guest VLAN DHCP range is 10.55.12.50-10.55.13.254. 
  • Our internal network is any IP in the 10.55 range. 
  • Our controller is a Cisco 4402. 

How do I accomplish this? 

ACL: GuestWiFi           
SeqActionSource IP/MaskDestination IP/MaskProtocolSource PortDest PortDSCPDirectionNoHDesc
1Permit10.55.12.0 / 255.255.255.25510.55.1.1 / 255.255.255.255UDPDHCP ClientDHCP ServerAnyInbound0DHCP Server. Allow clients to respond to DHCP requests.
2Deny10.55.12.0 / 255.255.255.010.55.0.0 / 255.255.0.00AnyAnyAnyAny0Block access to internal network - all 10.55 addresses
3Permit0.0.0.0 / 0.0.0.00.0.0.0 / 0.0.0.0AnyAnyAnyAnyAny0 
9 REPLIES
Community Member

Thoroughly Check wild card

Thoroughly Check wild card mask which u r using on 1st and 2nd sequence which may be creating problem.

 

But  the concept is right.. :)

Community Member

Seq 1: The guest VLAN DHCP

Seq 1: The guest VLAN DHCP range is 10.55.12.50-10.55.13.254. 

Seq 2: Our internal network is any IP in the 10.55 range.

Knowing these two things does it look like I would have any problems with the wildcard mask? I'm not very confident in answering this. Hoping someone can help. 

Hi Andy, There are some

Hi Andy,

 

There are some things I would recommend, the first is to keep in mind that when the clients in guest vlan boot up, they boot without any ip addresses, so if you apply an access list based on the assumed guest vlan ip addresses that will be assigned from the dhcp server it will not work and your guest vlan clients would never be able to get any ip address from the dhcp server. The second thing, is in order to allow guest vlan to access the internet, you don't have necessarily to allow that traffic towards your internal network, it would be enough to allow it towards the gateway router. Last thing, is that you don't need to apply any deny statement at the end of the access list since there is an implicit deny by default.

Here how your access list should look like:

access-list 100 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootp
access-list 100 permit ip 10.55.12.0 0.0.1.255 host 10.55.0.1 (assuming this is the gateway ip address)
 

Regards,

Aref

Community Member

Hey Aref, Thank you for your

Hey Aref, 

Thank you for your suggestion. Yes. The gateway is 10.55.0.1. I'd hate to make you spell it out, but it would be easiest for me to get this up and running if you could right the access list out somewhat similar to the table above.  

Thank you

Community Member

I believe I have the issue

I believe I have the issue resolved. I cannot find any issues with the solution yet. If anyone sees any issues with this setup let me know. The problem was solved through an ACL on the wireless controller. 

Problem description: Want to deny access to internal network from guest network.
Resolution summary:
>> Configured ACL for denying access to all internal network.
>> Applied one rule for permitting access to any network.
>> Cannot ping internal network as per our requirement.
>> But Able to go on the internet.
>> Everything is working as expected.

Community Member

Hi Andy,Do you mind sharing

Hi Andy,

Do you mind sharing the Access list you configured on the WLC? I am looking to do the same on my Guest WLAN

Community Member

Not a problem. The order is

Not a problem. The order is very important. 

First allow access to all of your network. This ends up being last in the sequence. Then start denying access. For our network I permitted to all and then added vlans to deny. At the very beginning of the sequence is where I allowed access to specific devices/services on vlans that are blocked. Here is an example. There could be a better way of doing this. If there is please chime in.

ACL: GuestWiFi           
SeqActionSource IP/MaskDestination IP/MaskProtocolSource PortDest PortDSCPDirectionNoHDesc
1Permit0.0.0.0 / 0.0.0.010.55.1.117 / 255.255.255.255UDPDHCP ClientDHCP ServerAnyInbound0Allow printer
2Deny10.55.12.0 / 255.255.252.010.55.8.0 / 255.255.252.0AnyAnyAnyAnyAny0Internal Wireless Vlan
3Deny10.55.12.0 / 255.255.252.010.55.5.0 / 255.255.252.0AnyAnyAnyAnyAny0Management Vlan
4Permit0.0.0.0 / 0.0.0.00.0.0.0 / 0.0.0.0AnyAnyAnyAnyAny0Everything
Community Member

Thanks will give it a try!

Thanks will give it a try!

Community Member

Dear Sir 

Dear Sir 

i have two wify vlan102 emp wify ssid  one is started ip range is 10.15.85.1 to 10.15.85.128 and second is vlan 103 guest ssid which ip address range is 10.15.85.128-10.15.85.254 and subnet mask is same 255.255.255.128 and one is my intranet server witch ip address 10.15.64.142 i want to block vlan 103 block in access web servers 10.15.64.142 ip please help me iam try many time but all network access block ,,,

regard 

Gopal Bhatt

4802
Views
0
Helpful
9
Replies
CreatePlease to create content