04-25-2006 01:55 PM - edited 03-03-2019 02:57 AM
I am trying to setup a home network for myslef for practice basically that has two VLANs. One will be a secure VLAN with servers, domain access, etc. The other will just be an internet access VLAN.
I have an internet gateway, but only one, that needs to be shared by both VLANs. Currently I have everything setup fine so that I can access the internet from either VLAN. The only problem is I think by opening a link between them to share the internet connection I am also opening s ecurity risk. I need an ACL to allow only internet traffic from the seocnd VLAN to be passed thorugh.
My problem has been that anything I have tried either allows nothing to pass, or everything to pass. I was trying to do just a permit from any host to any host on http, and deny everything else.
Thanks for any help.
Solved! Go to Solution.
04-26-2006 06:18 PM
did you try extended ACL using sorce IP?
I mean something like:
ip access-list ext my_acl
permit ip 192.168.2.0 0.0.0.255 host 192.168.1.5
permit ip host 192.168.1.5 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip any 192.168.1.0 0.0.0.255
deny ip any any
I'm not very good in ACL,
but let me know!
Vlad
04-25-2006 08:21 PM
Hi Erik,
If you want to limit the traffic to just HTTP, you can try something like the following:
interface Ethernet0.10
encapsulation dot1q 10
ip address 10.1.1.1 255.255.555.0
ip access-group 101 in
!
access-list 101 permit tcp any any eq http
access-list 101 permit tcp any any eq https
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
Try that out and see how you go.
Hope that helps - pls do remember to rate posts that help.
Paresh
04-26-2006 06:05 PM
No that still leaves me with the same problem. I am able to sonnect through the native VLAN, but not the secondary one. Here is my setup, incase it helps.
192.168.1.1 - internet gateway
192.168.1.5 - native VLAN (1) router IP
192.168.2.5 - secondary VLAN router IP (same physical router)
What I want is to be able to have full access on the 192.168.1.x VLAN, telnet to control my routers and switches, remote desktop to control servers, etc. Then I just want the router to pass any requests from the 192.168.2.x VLAN for internet access off to the gateway.
With that access list I am able to resolve an IP address, but still not see a website load in the browser.
Thanks again.
04-26-2006 06:18 PM
did you try extended ACL using sorce IP?
I mean something like:
ip access-list ext my_acl
permit ip 192.168.2.0 0.0.0.255 host 192.168.1.5
permit ip host 192.168.1.5 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip any 192.168.1.0 0.0.0.255
deny ip any any
I'm not very good in ACL,
but let me know!
Vlad
04-26-2006 06:57 PM
Erik,
Would you be able to post your config ?
Paresh
04-27-2006 04:58 AM
Current configuration : 854 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname InterVLAN
!
enable secret
!
ip subnet-zero
!
!
!
!
interface FastEthernet0
no ip address
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
ip address 192.168.1.5 255.255.255.0
!
interface FastEthernet0.2
encapsulation dot1Q 2
ip address 192.168.2.5 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
router rip
network 192.168.1.0
network 192.168.2.0
!
ip default-gateway 192.168.1.1
ip classless
ip default-network 192.168.1.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
!
line con 0
password
logging synchronous
login
line aux 0
password
login
line vty 0 4
password
login
!
end
04-28-2006 05:58 PM
I have another question for you:
you said that you need to access server on 192.168.1.0/24 , from which subnet? are you connected on the same vlan? or coming from the internet?
somewhere in this network you are doing NAT right? so to get in , you would need a static NAT or outside NAT.
So, if you are coming from internet I think you'd need to set and ACL to permit only the IP you have.
But I guess you're inside vlan 1 192.168.1.0/24, so basically you need to restric traffic from 192.168.2.0/24 to reach 192.168.1.0/24.
You need an ACL on the fa0.2 blocking traffic like this:
ip access-list extended sec-traffic-out
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit any any
int fa0.2
ip access-group sec-traffic-out in
I guess what could be confusing you is that your INTERNET gateway is on 192.168.1.0/24, but outgoing internet traffic will have layer3 destination addresses on a different subnet , like 200.0.0.0/8, so, it wont be blocked by the ACL.
HTH,
if it does, please rate this post,
Vlad
BTW, I think you dont need :
ip default-gateway, as its used when you dont have routing configured (no ip routing).
also ip defaul-network have specific use, I'm not sure you'd need it here too.
04-28-2006 06:58 PM
Yeah, I am doing NAT. The servers are on VLAN1, and only need to be accessed by PCs on VLAN1. I want to prevent PCs from VLAN2 from connecting to VLAN1, but allow internet traffic.
I think you are on the money with the IP address range thing. I had been trying to block everything from 192.168.2.0 to 192.168.1.0, except to 192.168.1.1, but as mentioned the final destination isn't in my network so it shouldn't make a difference.
I will try it out and see how it works.
04-28-2006 07:29 PM
Worked like a charm, as far as I can tell I can no longer reach the secure VLAN from the insecure one, but can get from the insecure VLAN to the internet.
04-29-2006 03:07 AM
Good Job Vladrac....you were accurate enough to understand the problem and EQUALLY accurate in Solving the issue..gr888...i'll remember your id for any help....hahahah....dont worry..i wont harass u for everything...:-)
04-29-2006 07:42 AM
Hey,
thanks. Glad to help!
Vlad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: