Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Access Lists - Protected and the UnProtected

Greetings,

I have a scenario in which a user has a gaming console and tends to open a lot of ports or ends up disabling the firewall entirely to play online. I looked into DMZ solutions but I don't see a howto that really fits my needs (dhcp addressed wan with one ip, internal dmz ip space, and nat). Perhaps Im not googling the correct key words. I made new acls to see if I can essentailly create an unprotected network and a protected one. It doesnt seem best practice though and Im afraid to go with it without consulting those who are more Cisco savvy. Any insight or direction would be greatly appreciated!

Here are the ACLs I created to see if I can create an unprotected network that would not be affected by a WAN acl

WAN: DHCP
vlan100 (protected):      172.16.107.224/27

vlan101 (unprotected):  172.16.106.192/27

!

ip access-list extended wan-inbound

remark deny management services

deny tcp any any eq 22

deny tcp any any eq 23

deny tcp any any eq 80

deny tcp any any eq 443

deny udp any any eq snmp

remark deny spoofing-and-invalids

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip host 255.255.255.255 any

remark allow everything else

permit ip any any

!

ip access-list extended vlan100-protected-inbound

remark define wan-inbound and other-lan-networks-inbound rules

remark permit anything initiated from the lan

permit tcp any any established

remark permit DNS requests

permit udp any eq domain any

remark deny spoofing-mylan

deny ip 172.16.107.0 0.0.0.255 any

remark allow isp-dhcp-requests

permit udp any eq bootps any eq bootpc

remark allow icmp

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

deny ip 172.16.107.224 0.0.0.31 any

deny ip host 255.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip any any log

!

ip access-list extended vlan101-unprotected-inbound

remark define wan-inbound and other-lan-networks-inbound rules

remark this is for devices like wireless router and gaming console

deny ip 172.16.107.192 0.0.0.31 any

deny ip host 255.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

permit ip any any

!

ip access-list extended nat-overload-acl

remark nat these networks

permit ip 172.16.107.0 0.0.0.255 any

!

interface Vlan100

description internal-network

ip access-group vlan100-internal-inbound in

exit

interface Vlan101

description unprotected-network

ip access-group  vlan101-unprotected-inbound in

exit

interface FastEthernet0

description INET

ip access-group wan-inbound in

exit

!

Everyone's tags (2)
2 REPLIES
Hall of Fame Super Blue

Access Lists - Protected and the UnProtected

Ron

What is the main concern ie. is it you have to allow a lot of traffic back in via the WAN interface because of the gaming session ?

If so a solution may be reflexive acls which can dynamically allows ports back in depending on what you allow out.

Whether you device supports them or not i don't know as you haven't specified the model you are using.

Can you clarify what your main concern is ?

Jon

New Member

Access Lists - Protected and the UnProtected

Jon,

Thanks so much for the reply! I'll have to look into relfexive acls and see if that's what I'm looking for. Under my

vlan100-protected-inbound acl I have 'permit tcp any any established' which I believe accomplishes any initiated sessions from the that lan. My main concern is the wan acl. I dont really like having 'permit any any' on the wan, but felt that is what I had to do to have a vlan that wouldn't be restricted by any acl statements for his gaming needs. Granted, I need to see an example of what game and what he claims is being affected by the current acl that I currently have on the wan, which right now is esentially what I have on vlan 100. I was looking for a solution in which he could plug into a port that is a member of 101, and wouldn't possibly have an issue with his games by an acl.  Thanks so much again for your time!


148
Views
0
Helpful
2
Replies
CreatePlease to create content