cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
9
Helpful
10
Replies

ACL on inter-VLAN router

ComputerErik
Level 1
Level 1

I am trying to setup a home network for myslef for practice basically that has two VLANs. One will be a secure VLAN with servers, domain access, etc. The other will just be an internet access VLAN.

I have an internet gateway, but only one, that needs to be shared by both VLANs. Currently I have everything setup fine so that I can access the internet from either VLAN. The only problem is I think by opening a link between them to share the internet connection I am also opening s ecurity risk. I need an ACL to allow only internet traffic from the seocnd VLAN to be passed thorugh.

My problem has been that anything I have tried either allows nothing to pass, or everything to pass. I was trying to do just a permit from any host to any host on http, and deny everything else.

Thanks for any help.

1 Accepted Solution

Accepted Solutions

did you try extended ACL using sorce IP?

I mean something like:

ip access-list ext my_acl

permit ip 192.168.2.0 0.0.0.255 host 192.168.1.5

permit ip host 192.168.1.5 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

permit ip any 192.168.1.0 0.0.0.255

deny ip any any

I'm not very good in ACL,

but let me know!

Vlad

View solution in original post

10 Replies 10

pkhatri
Level 11
Level 11

Hi Erik,

If you want to limit the traffic to just HTTP, you can try something like the following:

interface Ethernet0.10

encapsulation dot1q 10

ip address 10.1.1.1 255.255.555.0

ip access-group 101 in

!

access-list 101 permit tcp any any eq http

access-list 101 permit tcp any any eq https

access-list 101 permit udp any any eq domain

access-list 101 permit udp any eq domain any

Try that out and see how you go.

Hope that helps - pls do remember to rate posts that help.

Paresh

No that still leaves me with the same problem. I am able to sonnect through the native VLAN, but not the secondary one. Here is my setup, incase it helps.

192.168.1.1 - internet gateway

192.168.1.5 - native VLAN (1) router IP

192.168.2.5 - secondary VLAN router IP (same physical router)

What I want is to be able to have full access on the 192.168.1.x VLAN, telnet to control my routers and switches, remote desktop to control servers, etc. Then I just want the router to pass any requests from the 192.168.2.x VLAN for internet access off to the gateway.

With that access list I am able to resolve an IP address, but still not see a website load in the browser.

Thanks again.

did you try extended ACL using sorce IP?

I mean something like:

ip access-list ext my_acl

permit ip 192.168.2.0 0.0.0.255 host 192.168.1.5

permit ip host 192.168.1.5 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

permit ip any 192.168.1.0 0.0.0.255

deny ip any any

I'm not very good in ACL,

but let me know!

Vlad

Erik,

Would you be able to post your config ?

Paresh

Current configuration : 854 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname InterVLAN

!

enable secret

!

ip subnet-zero

!

!

!

!

interface FastEthernet0

no ip address

speed auto

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 192.168.1.5 255.255.255.0

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 192.168.2.5 255.255.255.0

!

interface Serial0

no ip address

shutdown

!

router rip

network 192.168.1.0

network 192.168.2.0

!

ip default-gateway 192.168.1.1

ip classless

ip default-network 192.168.1.0

ip route 0.0.0.0 0.0.0.0 192.168.1.1

no ip http server

!

!

!

line con 0

password

logging synchronous

login

line aux 0

password

login

line vty 0 4

password

login

!

end

I have another question for you:

you said that you need to access server on 192.168.1.0/24 , from which subnet? are you connected on the same vlan? or coming from the internet?

somewhere in this network you are doing NAT right? so to get in , you would need a static NAT or outside NAT.

So, if you are coming from internet I think you'd need to set and ACL to permit only the IP you have.

But I guess you're inside vlan 1 192.168.1.0/24, so basically you need to restric traffic from 192.168.2.0/24 to reach 192.168.1.0/24.

You need an ACL on the fa0.2 blocking traffic like this:

ip access-list extended sec-traffic-out

deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit any any

int fa0.2

ip access-group sec-traffic-out in

I guess what could be confusing you is that your INTERNET gateway is on 192.168.1.0/24, but outgoing internet traffic will have layer3 destination addresses on a different subnet , like 200.0.0.0/8, so, it wont be blocked by the ACL.

HTH,

if it does, please rate this post,

Vlad

BTW, I think you dont need :

ip default-gateway, as its used when you dont have routing configured (no ip routing).

also ip defaul-network have specific use, I'm not sure you'd need it here too.

Yeah, I am doing NAT. The servers are on VLAN1, and only need to be accessed by PCs on VLAN1. I want to prevent PCs from VLAN2 from connecting to VLAN1, but allow internet traffic.

I think you are on the money with the IP address range thing. I had been trying to block everything from 192.168.2.0 to 192.168.1.0, except to 192.168.1.1, but as mentioned the final destination isn't in my network so it shouldn't make a difference.

I will try it out and see how it works.

Worked like a charm, as far as I can tell I can no longer reach the secure VLAN from the insecure one, but can get from the insecure VLAN to the internet.

Good Job Vladrac....you were accurate enough to understand the problem and EQUALLY accurate in Solving the issue..gr888...i'll remember your id for any help....hahahah....dont worry..i wont harass u for everything...:-)

Hey,

thanks. Glad to help!

Vlad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: