01-07-2004 07:56 AM - edited 03-02-2019 12:43 PM
Situation: I created a 'guest vlan' on our network that will be used by NON-employees. This VLAN hands the user a DNS server and through a standard ACL allows all web browsing (to the internet) and all DNS lookups to that supplied DNS server.
Problem: What happens if a GUEST USER wants to VPN to his/her corporate network? How do I allow that without opening my network up any more than it is? When a guest VPN's to their corporate net they will get DNS and may need to connect to resources on their net that I am not allow access to in my ACL.
Any ideas are much appreciated. Thanks in advance.
Solved! Go to Solution.
01-07-2004 10:32 AM
I'll post again my response to your same question in Remote Access:
You will need to change your standard ACL to an extended ACL. Here is a guideline:
access-list 101 permit udp (guest-VLAN-network) host (DNS server) eq domain
acess-list 101 deny ip (guest-VLAN-network) (internal-network)
access-list 101 per ip (guest-VLAN-network) any
This will give specific access to the DNS server, deny all other access to your internal network, and permit any access, including VPN tunnels, to the Internet.
If your internal network can not be summarized with a single IP address, repeat the second command as many times as you need to in order to block access to all of your network space.
HTH
Mark
01-07-2004 12:57 PM
01-07-2004 10:32 AM
I'll post again my response to your same question in Remote Access:
You will need to change your standard ACL to an extended ACL. Here is a guideline:
access-list 101 permit udp (guest-VLAN-network) host (DNS server) eq domain
acess-list 101 deny ip (guest-VLAN-network) (internal-network)
access-list 101 per ip (guest-VLAN-network) any
This will give specific access to the DNS server, deny all other access to your internal network, and permit any access, including VPN tunnels, to the Internet.
If your internal network can not be summarized with a single IP address, repeat the second command as many times as you need to in order to block access to all of your network space.
HTH
Mark
01-07-2004 11:15 AM
Thank you for your reply. I mistakenly said Standard when I meant to say Extended. I am already using an extended ACL, but your response answers my question. I was trying to make things more difficult than they need to be. Instead of denying specific nets and allowing everything else, I was allowing specific things and denying everything else.
Also, I have architected the acl in the format you descibe, and I've applied it to the interface "IN". Is that the best way to do it?
01-07-2004 12:57 PM
Yes, inbound on the guest VLAN interface will do it.
Good luck.
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide