Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
830
Views
4
Helpful
5
Replies

ACL to deny any LAN activity from Aironet 1131AG

joshgrisham
Level 1
Level 1

‎03-25-2007 08:07 PM - edited ‎02-20-2020 09:38 PM

Can anyone tell me what I'm missing here? Trying to set up an ACL that will prohibit any LAN activity while allowing the users to do anything they want outside on the internet if they are accessing the wireless access point.

Here's what I have right now. Internal network is 192.168.1.0 and the gateway/router/etc is at address 192.168.1.254.

Good things about it is, I can't get to anything internal. Also I can get to anything external as long as I know the IP address... so really the only thing I'm missing is DNS resolution. I've tried a few things and nothing seems to work! Any ideas??

Building configuration...

Current configuration : 1802 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 ....

!

led display alternate

ip subnet-zero

!

!

no aaa new-model

!

dot11 ssid PMIWifi

authentication open

guest-mode

!

power inline negotiation prestandard source

!

!

username ....

!

bridge irb

!

!

interface Dot11Radio0

no ip address

ip access-group wifi in

no ip route-cache

!

ssid PMIWifi

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

ip access-group wifi in

no ip route-cache

!

ssid PMIWifi

!

dfs band 3 block

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

ip access-list extended wifi

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

Labels:
0 Helpful
5 Replies 5

acomiskey
Level 10
Level 10

‎03-26-2007 06:03 AM

Is the dns server on 192.168.1.0? This would explain why you couldnt access it. Try an external dns, do you have the same problems?

0 Helpful

joshgrisham
Level 1
Level 1
In response to acomiskey

‎03-26-2007 03:44 PM

No it is 192.168.1.254 also. I did try a few things in addition to the config I posted but none of them worked.. rather then posting the wrong thing I wanted to see if anyone could tell me the right thing! ;)

The things I had tried...

permit ip host 192.168.1.254 any

permit ip any host 192.168.1.254

permit udp any any eq 53

permit tcp any any eq 53

Still none of these worked...

0 Helpful

joshgrisham
Level 1
Level 1
In response to joshgrisham

‎03-29-2007 05:27 AM

Is it because I'm doing a deny then an allow?

For instance if you had

deny ip any 192.168.1.254 0.0.0.0

permit ip any 192.168.1.254 0.0.0.0

What would happen? Would the deny override the permit, or vice-versa ? I thought by default in an access list there was a "deny ip any any" unless you specified something else, so to me it sounds like a permit is overriding the deny in that case. What about this one?

0 Helpful

acomiskey
Level 10
Level 10
In response to joshgrisham

‎03-29-2007 06:25 AM

In your first post you have...

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

If your dns server is 192.168.1.254 this will obviously be denied. That's what I was trying to say before. How about this..this should permit dns to dns server, deny anything else to 192.168.1.0, and permit anything else.

permit udp any 192.168.1.254 0.0.0.0 eq 53

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

0 Helpful

acomiskey
Level 10
Level 10
In response to joshgrisham

‎03-29-2007 06:34 AM

Yes, in that case the permit line would never be matched as it would start from the top down and all traffic to 192.168.1.0 would match the first line and be denied. There is an implicit deny ip any any at the end of the acl.

Customers Also Viewed These Support Documents