ACL's 851

tmcmurray51 · ‎10-22-2008

Any help someone can provide would be much appreciated.

Here the issues I am having, we Have 851 connected to the net as well as a VPN tunnel to our head office. We need to restrict a group of computer form the Internet but these computers still need to have and be accessed through the VPN.

Jon Marshall · ‎10-22-2008

Tristan

When you say connected to the net do you mean the local network in the remote office or the Internet. Is the Internet access via your head office ?

Jon

tmcmurray51 · ‎10-22-2008

the internet

Jon Marshall · ‎10-22-2008

Okay lets say the group of computers are a small subnet 192.168.5.0 255.255.255.240. If they are not a summarisable subnet then you may need to have individual host entries

Lets also say that HQ networks are

192.168.6.0/24

192.168.7.0/24

192.168.8.0/24

access-list 101 permit ip host 192.168.5.0 0.0.0.15 192.168.6.0 0.0.0.255

access-list 101 permit ip host 192.168.5.0 0.0.0.15 192.168.7.0 0.0.0.255

access-list 101 permit ip host 192.168.5.0 0.0.0.15 192.168.8.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.15 any

access-list 101 permit ip any any

then on the LAN interface of your 851

int fa0/1

ip access-group 101 in

You need to allow ip from any any at the end of the acl if you have other computers in your LAN that should have access to the HQ and the net.

Jon

tmcmurray51 · ‎10-22-2008

the 851 is the external router on our internet connection to that build. the head office does not have any internet access forwarded through the tunnel only intranet services

tmcmurray51 · ‎10-22-2008

the 851 is the external router on our internet connection to that build. the head office does not have any internet access forwarded through the tunnel only intranet services

tmcmurray51 · ‎10-22-2008

the 851 is the external router on our internet connection to that build. the head office does not have any internet access forwarded through the tunnel only intranet services