Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

guest vlan and vpn

Situation: I created a 'guest vlan' on our network that will be used by NON-employees. This VLAN hands the user a DNS server and through a standard ACL allows all web browsing (to the internet) and all DNS lookups to that supplied DNS server.

Problem: What happens if a GUEST USER wants to VPN to his/her corporate network? How do I allow that without opening my network up any more than it is? When a guest VPN's to their corporate net they will get DNS and may need to connect to resources on their net that I am not allow access to in my ACL.

Any ideas are much appreciated. Thanks in advance.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Bronze

Re: guest vlan and vpn

I'll post again my response to your same question in Remote Access:

You will need to change your standard ACL to an extended ACL. Here is a guideline:

access-list 101 permit udp (guest-VLAN-network) host (DNS server) eq domain

acess-list 101 deny ip (guest-VLAN-network) (internal-network)

access-list 101 per ip (guest-VLAN-network) any

This will give specific access to the DNS server, deny all other access to your internal network, and permit any access, including VPN tunnels, to the Internet.

If your internal network can not be summarized with a single IP address, repeat the second command as many times as you need to in order to block access to all of your network space.

HTH

Mark

Bronze

Re: guest vlan and vpn

Yes, inbound on the guest VLAN interface will do it.

Good luck.

Mark

3 REPLIES
Bronze

Re: guest vlan and vpn

I'll post again my response to your same question in Remote Access:

You will need to change your standard ACL to an extended ACL. Here is a guideline:

access-list 101 permit udp (guest-VLAN-network) host (DNS server) eq domain

acess-list 101 deny ip (guest-VLAN-network) (internal-network)

access-list 101 per ip (guest-VLAN-network) any

This will give specific access to the DNS server, deny all other access to your internal network, and permit any access, including VPN tunnels, to the Internet.

If your internal network can not be summarized with a single IP address, repeat the second command as many times as you need to in order to block access to all of your network space.

HTH

Mark

New Member

Re: guest vlan and vpn

Thank you for your reply. I mistakenly said Standard when I meant to say Extended. I am already using an extended ACL, but your response answers my question. I was trying to make things more difficult than they need to be. Instead of denying specific nets and allowing everything else, I was allowing specific things and denying everything else.

Also, I have architected the acl in the format you descibe, and I've applied it to the interface "IN". Is that the best way to do it?

Bronze

Re: guest vlan and vpn

Yes, inbound on the guest VLAN interface will do it.

Good luck.

Mark

111
Views
0
Helpful
3
Replies
CreatePlease to create content