01-25-2006 10:59 AM - edited 03-03-2019 01:35 AM
I have 4506 that is used in a lab environment. We utilize the 192.168.X.X split up into vlans
vlan 2 assgined ip address 192.168.0.1
vlan 3 assigned ip address 192.168.1.1
vlan 4 assigned ip address 192.168.2.1
vlan 5 assinged ip address 192.168.3.1
and so on.
here is the problem:
I need the people using 192.168.3.X on vlan 5 to only be able to access outside their vlan on PING (ICMP), DNS (udp 53), Proxy server on port 8080, LDAP (tcp 369), and SSL (tcp 443) this is to all vlans.
And only host 192.168.0.180 on vlan 2
and host 192.168.2.181 on vlan 4
to be able to access all ip's on the vlan 5
Every thing I have tried with extended acls has failed to allow this to happen.
Ken Taylor
01-25-2006 06:24 PM
where are you applying the ACL's? are you using ACL's in both directions on each interface? are they reflexive ACL's?
post your config.
01-25-2006 09:56 PM
How about something like this, applied inbound on interface vlan5:
access-list 101 remark --- Allow Pings in and out
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 remark --- Allow DNS
access-list 101 permit udp any eq domain any
access-list 101 permit udp any any eq domain
access-list 101 remark --- Allow access to proxy
access-list 101 permit tcp any eq 8080 any
access-list 101 permit tcp any any eq 8080
access-list 101 remark --- Allow LDAP
access-list 101 permit tcp any eq 369 any
access-list 101 permit tcp any any eq 369
access-list 101 remark --- Allow access to 192.168.0.180
access-list 101 permit ip any host 192.168.0.180
access-list 101 remark --- Allow access to 192.168.2.181
access-list 101 permit ip any host 192.168.2.181
access-list 101 remark --- Allow access to all hosts in VLAN 5
access-list 101 permit ip any 192.168.3.0 0.0.0.255
access-list 101 deny ip any any
Hope that helps - pls rate posts that help.
Regards,
Paresh
01-26-2006 11:13 AM
sorry for the delay in resopnding.
I tried to apply the acl to the
vlan. One in and one out. That did not work.
I was not using the reflexive ACL's.
I will work on getting a copy of my config off the test network so that I can send it out.
bassicly I applied it as follows
vlan 5
ip address 192.168.3.1
access-group 101 in
access-group 102 out
and the following access list
access-list 101 permit tcp any any established
access-list 101 permit tcp 192.168.3.1 0.0.0.255 any eq 8080
access-list 101 permit tcp 192.168.3.1 0.0.0.255 any eq 389
access-list 101 permit tcp 192.168.3.1 0.0.0.255 any eq 443
access-list 101 permit udp 192.168.3.1 0.0.0.255 any
eq domain
access-list 101 permit icmp 192.168.3.1 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit tcp host 192.168.0.180 192.168.3.1 0.0.0.255
access-list 102 permit tcp host 192.168.2.181 192.168.3.1 0.0.0.255
access-list 102 permit icmp host 192.168.0.180 192.168.3.1 0.0.0.255
access-list 102 permit icmp host 192.168.2.181 192.168.3.1 0.0.0.255
01-26-2006 01:34 PM
here's a small excerpt of something similar i set up on a 6509 using reflexive acl's. (adjust ip's and ports to your liking)...
ip access-list extended vlan232_acl_inbound
evaluate intraffic232
permit tcp any host 192.168.232.20 eq www reflect outtraffic232
permit tcp any host 192.168.232.20 eq 443 reflect outtraffic232
permit tcp any host 192.168.232.20 eq ftp reflect outtraffic232
permit tcp any host 192.168.232.20 range 1024 5000 reflect outtraffic232
permit tcp any host 192.168.232.42 eq ftp reflect outtraffic232
permit tcp any host 192.168.232.42 range 1024 5000 reflect outtraffic232
permit ip host 192.168.51.5 192.168.232.0 0.0.0.255
permit ip 192.168.231.0 0.0.0.255 192.168.232.0 0.0.0.255
permit ip host 206.195.31.0 192.168.232.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.232.0 0.0.0.255
ip access-list extended vlan232_acl_outbound
evaluate outtraffic232
permit ip 192.168.232.0 0.0.0.255 host 192.168.151.33 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 192.168.2.0 0.0.0.255 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 192.168.3.0 0.0.0.255 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 host 192.168.51.5
permit ip 192.168.232.0 0.0.0.255 192.168.231.0 0.0.0.255
deny ip 192.168.232.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.232.0 0.0.0.255 any reflect intraffic232
!
!
interface Vlan232
ip access-group vlan232_acl_outbound in
ip access-group vlan232_acl_inbound out
01-27-2006 06:39 AM
...one more note. another poster suggest acl's using the 'established' keyword. this only works for tcp traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide