Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
1
Helpful
3
Replies

Question about implicit rule to less secure networks

gbromleyclc
Level 1
Level 1

‎08-14-2015 09:38 AM - edited ‎03-11-2019 11:25 PM

Okay, I had a long question written out, and that triggered something in my head and I fixed my issue.  But that leaves me with a question: why did it work?

So I was having problems with accessing an internal camera from our wireless network, which are on different subnets.  The wireless network has a security level of 10, so has access to pretty much just the internet. I was able to get access from the wireless network to the internal camera with the acl: access-list CLC_Wireless_access_in line 1 extended permit ip 192.168.x.0 255.255.255.128 host 192.168.xx.51.

Originally I tried this, but it removed the implicit access to less secure networks, and I lost connection to the internet. Then I tried an 'any any' rule for the wireless, but that allowed access to the entire internal network, which I didn't want.  So then I tried both, sort of. I used the  acl to the camera (above) and then this one, 'wireless to any': access-list CLC_Wireless_access_in line 2 extended permit ip 192.168.x.0 255.255.255.128 any

And now I have what I want, access from the wireless to the camera (not the rest of the internal network) and access to the internet.  My question is: why does the 'wireless to any' acl not grant access to the rest of the internal network?  I figured it was because that implicit rule only to less secure networks is still there, behind the scenes blocking traffic to a higher security level. So does an 'any any' on the wireless allow all traffic, and a 'wireless to any' allow all traffic to less secure networks?

Thanks in advance,

- Greg

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎08-14-2015 10:14 AM

Hi Greg; 

Short answer, it does grant access to everything. Having that, is the same as doing the any any you did before. 

The reasoning behind why it does not have access to the rest of the internal network might be routing, NAT or even an ACL on the internal interface, but I would be it is not on the wireless side.

You can try to run a "packet-tracer" to other internal resources, and probably would result in allow. 

 

Again, the reasoning why it does not let other assets to be accessed may require a look at the rest of the config. 

 

Mike. 

Mike
0 Helpful

gbromleyclc
Level 1
Level 1
In response to Maykol Rojas

‎08-14-2015 11:25 AM

Thanks for the quick response Mike!

So what would be the correct way to accomplish access from the wireless network to the camera and outbound to the internet?

Is there any way to have the acl for the camera in place and put the implicit 'allow access to less secure networks' back in before the implicit 'deny' blocks everything?

 

Thanks again,

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to gbromleyclc

‎08-14-2015 12:03 PM

Greg

permit the wireless subnet to the specific host
deny the wireless subnet to the rest of the internal network
permit the wireless subnet to any

note if there are any other higher security interfaces connected to networks you would need to deny those as well before the permit to any at the end.

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card