Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

guest valn access dilema

Situation: I created a 'guest vlan' on our network that will be used by NON-employees. This VLAN hands the user a DNS server and through a standard ACL allows all web browsing (to the internet) and all DNS lookups to that supplied DNS server.

Problem: What happens if a GUEST USER wants to VPN to his/her corporate network? How do I allow that without opening my network up any more than it is? When a guest VPN's to their corporate net they will get DNS and may need to connect to resources on their net that I am not allow access to in my ACL.

Any ideas are much appreciated. Thanks in advance.

  • Other Network Infrastructure Subjects
1 REPLY
Bronze

Re: guest valn access dilema

You will need to change your standard ACL to an extended ACL. Here is a guideline:

access-list 101 permit udp (guest-VLAN-network) host (DNS server) eq domain

acess-list 101 deny ip (guest-VLAN-network) (internal-network)

access-list 101 per ip (guest-VLAN-network) any

This will give specific access to the DNS server, deny all other access to your internal network, and permit any access, including VPN tunnels, to the Internet.

If your internal network can not be summarized with a single IP address, repeat the second command as many times as you need to in order to block access to all of your network space.

HTH

Mark

94
Views
0
Helpful
1
Replies
This widget could not be displayed.