Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
3
Replies

Configuring Vlan for Internet access only

Go to solution
randyclark
Level 1
Level 1

‎10-09-2003 11:00 AM - edited ‎03-02-2019 10:54 AM

If I want to configure an vlan to have access to the Internet only would I write an ACL to permit only access to the internal Ip of the firewall or the network address of the Internet vlan.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
tsettle
Level 3
Level 3

‎10-09-2003 11:13 AM

What you configure depends where you apply the acl. In general if it's Internet only (ie, not your internal net) then your acl would deny your internal subnets and permit all else (ie, Internet). An acl for just the fw will limit access the firewall ip only (ie nowhere else)

For example

PC----rtr---fw---Internet

|

other vlans

PC is 172.16.1.2/24 (on the vlan by itself)

other vlan is subnet 172.16.2.0/24

To permit PC to access Internet only

access-list 101 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 102 permit ip any any

apply 101 to pc vlan int on rtr inbound

apply 102 outbound on rtr int to pc vlan.

other vlan won't be able reach PC and vice versa. PC can reach Internet.

View solution in original post

0 Helpful

Go to solution
Keyurp
Level 1
Level 1
In response to randyclark

‎10-09-2003 12:43 PM

I think you are right

View solution in original post

0 Helpful
3 Replies 3

Go to solution
tsettle
Level 3
Level 3

‎10-09-2003 11:13 AM

What you configure depends where you apply the acl. In general if it's Internet only (ie, not your internal net) then your acl would deny your internal subnets and permit all else (ie, Internet). An acl for just the fw will limit access the firewall ip only (ie nowhere else)

For example

PC----rtr---fw---Internet

|

other vlans

PC is 172.16.1.2/24 (on the vlan by itself)

other vlan is subnet 172.16.2.0/24

To permit PC to access Internet only

access-list 101 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 102 permit ip any any

apply 101 to pc vlan int on rtr inbound

apply 102 outbound on rtr int to pc vlan.

other vlan won't be able reach PC and vice versa. PC can reach Internet.

0 Helpful

Go to solution
randyclark
Level 1
Level 1
In response to tsettle

‎10-09-2003 12:34 PM

Shouldn't that be the following, to permit only that PC?

access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 101 deny ip any any

access-list 102 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 102 deny ip any any

0 Helpful

Go to solution
Keyurp
Level 1
Level 1
In response to randyclark

‎10-09-2003 12:43 PM

I think you are right

0 Helpful
Customers Also Viewed These Support Documents