Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
0
Helpful
3
Replies

guest vlan and vpn

Go to solution
b.withrow
Level 1
Level 1

‎01-07-2004 07:56 AM - edited ‎03-02-2019 12:43 PM

Situation: I created a 'guest vlan' on our network that will be used by NON-employees. This VLAN hands the user a DNS server and through a standard ACL allows all web browsing (to the internet) and all DNS lookups to that supplied DNS server.

Problem: What happens if a GUEST USER wants to VPN to his/her corporate network? How do I allow that without opening my network up any more than it is? When a guest VPN's to their corporate net they will get DNS and may need to connect to resources on their net that I am not allow access to in my ACL.

Any ideas are much appreciated. Thanks in advance.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mark-obrien
Level 4
Level 4

‎01-07-2004 10:32 AM

I'll post again my response to your same question in Remote Access:

You will need to change your standard ACL to an extended ACL. Here is a guideline:

access-list 101 permit udp (guest-VLAN-network) host (DNS server) eq domain

acess-list 101 deny ip (guest-VLAN-network) (internal-network)

access-list 101 per ip (guest-VLAN-network) any

This will give specific access to the DNS server, deny all other access to your internal network, and permit any access, including VPN tunnels, to the Internet.

If your internal network can not be summarized with a single IP address, repeat the second command as many times as you need to in order to block access to all of your network space.

HTH

Mark

View solution in original post

0 Helpful

Go to solution
mark-obrien
Level 4
Level 4
In response to b.withrow

‎01-07-2004 12:57 PM

Yes, inbound on the guest VLAN interface will do it.

Good luck.

Mark

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mark-obrien
Level 4
Level 4

‎01-07-2004 10:32 AM

I'll post again my response to your same question in Remote Access:

You will need to change your standard ACL to an extended ACL. Here is a guideline:

access-list 101 permit udp (guest-VLAN-network) host (DNS server) eq domain

acess-list 101 deny ip (guest-VLAN-network) (internal-network)

access-list 101 per ip (guest-VLAN-network) any

This will give specific access to the DNS server, deny all other access to your internal network, and permit any access, including VPN tunnels, to the Internet.

If your internal network can not be summarized with a single IP address, repeat the second command as many times as you need to in order to block access to all of your network space.

HTH

Mark

0 Helpful

Go to solution
b.withrow
Level 1
Level 1
In response to mark-obrien

‎01-07-2004 11:15 AM

Thank you for your reply. I mistakenly said Standard when I meant to say Extended. I am already using an extended ACL, but your response answers my question. I was trying to make things more difficult than they need to be. Instead of denying specific nets and allowing everything else, I was allowing specific things and denying everything else.

Also, I have architected the acl in the format you descibe, and I've applied it to the interface "IN". Is that the best way to do it?

0 Helpful

Go to solution
mark-obrien
Level 4
Level 4
In response to b.withrow

‎01-07-2004 12:57 PM

Yes, inbound on the guest VLAN interface will do it.

Good luck.

Mark

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card