Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
5
Replies

4506, ACL problem

kltaylor1
Level 1
Level 1

‎01-25-2006 10:59 AM - edited ‎03-03-2019 01:35 AM

I have 4506 that is used in a lab environment. We utilize the 192.168.X.X split up into vlans

vlan 2 assgined ip address 192.168.0.1

vlan 3 assigned ip address 192.168.1.1

vlan 4 assigned ip address 192.168.2.1

vlan 5 assinged ip address 192.168.3.1

and so on.

here is the problem:

I need the people using 192.168.3.X on vlan 5 to only be able to access outside their vlan on PING (ICMP), DNS (udp 53), Proxy server on port 8080, LDAP (tcp 369), and SSL (tcp 443) this is to all vlans.

And only host 192.168.0.180 on vlan 2

and host 192.168.2.181 on vlan 4

to be able to access all ip's on the vlan 5

Every thing I have tried with extended acls has failed to allow this to happen.

Ken Taylor

Labels:
0 Helpful
5 Replies 5

srue
Level 7
Level 7

‎01-25-2006 06:24 PM

where are you applying the ACL's? are you using ACL's in both directions on each interface? are they reflexive ACL's?

post your config.

0 Helpful

pkhatri
Level 11
Level 11
In response to srue

‎01-25-2006 09:56 PM

How about something like this, applied inbound on interface vlan5:

access-list 101 remark --- Allow Pings in and out

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 remark --- Allow DNS

access-list 101 permit udp any eq domain any

access-list 101 permit udp any any eq domain

access-list 101 remark --- Allow access to proxy

access-list 101 permit tcp any eq 8080 any

access-list 101 permit tcp any any eq 8080

access-list 101 remark --- Allow LDAP

access-list 101 permit tcp any eq 369 any

access-list 101 permit tcp any any eq 369

access-list 101 remark --- Allow access to 192.168.0.180

access-list 101 permit ip any host 192.168.0.180

access-list 101 remark --- Allow access to 192.168.2.181

access-list 101 permit ip any host 192.168.2.181

access-list 101 remark --- Allow access to all hosts in VLAN 5

access-list 101 permit ip any 192.168.3.0 0.0.0.255

access-list 101 deny ip any any

Hope that helps - pls rate posts that help.

Regards,

Paresh

0 Helpful

kltaylor1
Level 1
Level 1
In response to srue

‎01-26-2006 11:13 AM

sorry for the delay in resopnding.

I tried to apply the acl to the

vlan. One in and one out. That did not work.

I was not using the reflexive ACL's.

I will work on getting a copy of my config off the test network so that I can send it out.

bassicly I applied it as follows

vlan 5

ip address 192.168.3.1

access-group 101 in

access-group 102 out

and the following access list

access-list 101 permit tcp any any established

access-list 101 permit tcp 192.168.3.1 0.0.0.255 any eq 8080

access-list 101 permit tcp 192.168.3.1 0.0.0.255 any eq 389

access-list 101 permit tcp 192.168.3.1 0.0.0.255 any eq 443

access-list 101 permit udp 192.168.3.1 0.0.0.255 any

eq domain

access-list 101 permit icmp 192.168.3.1 0.0.0.255 any

access-list 102 permit tcp any any established

access-list 102 permit tcp host 192.168.0.180 192.168.3.1 0.0.0.255

access-list 102 permit tcp host 192.168.2.181 192.168.3.1 0.0.0.255

access-list 102 permit icmp host 192.168.0.180 192.168.3.1 0.0.0.255

access-list 102 permit icmp host 192.168.2.181 192.168.3.1 0.0.0.255

0 Helpful

srue
Level 7
Level 7
In response to kltaylor1

‎01-26-2006 01:34 PM

here's a small excerpt of something similar i set up on a 6509 using reflexive acl's. (adjust ip's and ports to your liking)...

ip access-list extended vlan232_acl_inbound

evaluate intraffic232

permit tcp any host 192.168.232.20 eq www reflect outtraffic232

permit tcp any host 192.168.232.20 eq 443 reflect outtraffic232

permit tcp any host 192.168.232.20 eq ftp reflect outtraffic232

permit tcp any host 192.168.232.20 range 1024 5000 reflect outtraffic232

permit tcp any host 192.168.232.42 eq ftp reflect outtraffic232

permit tcp any host 192.168.232.42 range 1024 5000 reflect outtraffic232

permit ip host 192.168.51.5 192.168.232.0 0.0.0.255

permit ip 192.168.231.0 0.0.0.255 192.168.232.0 0.0.0.255

permit ip host 206.195.31.0 192.168.232.0 0.0.0.255

deny ip 192.168.0.0 0.0.255.255 192.168.232.0 0.0.0.255

ip access-list extended vlan232_acl_outbound

evaluate outtraffic232

permit ip 192.168.232.0 0.0.0.255 host 192.168.151.33 reflect intraffic232

permit ip 192.168.232.0 0.0.0.255 192.168.2.0 0.0.0.255 reflect intraffic232

permit ip 192.168.232.0 0.0.0.255 192.168.3.0 0.0.0.255 reflect intraffic232

permit ip 192.168.232.0 0.0.0.255 host 192.168.51.5

permit ip 192.168.232.0 0.0.0.255 192.168.231.0 0.0.0.255

deny ip 192.168.232.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 192.168.232.0 0.0.0.255 any reflect intraffic232

!

!

interface Vlan232

ip access-group vlan232_acl_outbound in

ip access-group vlan232_acl_inbound out

0 Helpful

srue
Level 7
Level 7
In response to srue

‎01-27-2006 06:39 AM

...one more note. another poster suggest acl's using the 'established' keyword. this only works for tcp traffic.

0 Helpful
Customers Also Viewed These Support Documents