Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1526
Views
0
Helpful
5
Replies

Cisco extended ACL

Go to solution
denverelway
Level 1
Level 1

‎09-13-2011 08:14 AM - edited ‎02-21-2020 04:27 AM

Hi, I need some help! On a specific VLAN i want to give access to my wifi users only to internet and to specifics ressources on the lan. I create and extended ACL on my Cisco 3750 and apply it ton my VLAN interface. It looks like this:

10 permit ip any 10.4.197.0 0.0.0.255  --> my subnet for wifi users

20 permit ip any host 10.4.134.2

30 permit ip any host 10.4.134.3

40 permit ip any host 10.4.134.16

50 permit ip any host 10.4.134.117

60 permit ip any 192.168.0.0 0.0.0.255 --> my DMZ

100 permit ip any 192.168.133.0 0.0.0.255 --> my firewall subnet

on my vlan interface the command is: ip access-group ACCESS in

My problem is: I can access only the  hosts on my lan that i specified (That's perfect) but when i try to go to the internet i can't!

Does anybody have and idea to solve my problem? I try to put another ACL:

Extended IP access list ACCESSWEB

    10 permit tcp 10.4.197.0 0.0.0.255 any eq www

and apply it to my vlan interface (ip access-group ACCESSWEB out) with the other one (ip access-group CSDDSF in) but the result is the same (No innternet). If i only put this one (ip access-group CSDDSF in) internet is working fine.

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to denverelway

‎09-13-2011 10:47 AM

Bernard

Collin did well to identify the problem that DNS is needed. I am surprised that he did not see the other part of the problem. Your access list permits certain specific host destinations and to 2 subnets. Remember that in every access list there is an implicit deny any any at the bottom of the access list. So when you attempt to go to the Internet the access list checks your packet against the access list. It does not match any of the permits and so it is denied.

To achieve the results that you want the access list should follow the permits that you have created with deny statements that deny all of the network destinations that are inside your network and then should have a permit ip any any so that traffic can get to the Internet.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎09-13-2011 10:10 AM

You'll also need to open DNS.

0 Helpful

Go to solution
denverelway
Level 1
Level 1
In response to Collin Clark

‎09-13-2011 10:11 AM

It's done!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to denverelway

‎09-13-2011 10:47 AM

Bernard

Collin did well to identify the problem that DNS is needed. I am surprised that he did not see the other part of the problem. Your access list permits certain specific host destinations and to 2 subnets. Remember that in every access list there is an implicit deny any any at the bottom of the access list. So when you attempt to go to the Internet the access list checks your packet against the access list. It does not match any of the permits and so it is denied.

To achieve the results that you want the access list should follow the permits that you have created with deny statements that deny all of the network destinations that are inside your network and then should have a permit ip any any so that traffic can get to the Internet.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
denverelway
Level 1
Level 1
In response to Richard Burts

‎09-13-2011 12:08 PM


Thanks it works great!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to denverelway

‎09-13-2011 12:44 PM

Bernard

I am glad that my response guided you to a solution for your problem. Access lists can get tricky and I sometimes need to remind myself that unless there is a specific permit for it then traffic will not go through.

Thank you for using the rating system to mark this question as answered - and thanks for the rating. It makes the forum more useful when people can read a problem and can know that a solution was found. Your marking this question has contributed to that process.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card