03-03-2014 01:14 PM - edited 03-04-2019 10:29 PM
Greetings,
I have a scenario in which a user has a gaming console and tends to open a lot of ports or ends up disabling the firewall entirely to play online. I looked into DMZ solutions but I don't see a howto that really fits my needs (dhcp addressed wan with one ip, internal dmz ip space, and nat). Perhaps Im not googling the correct key words. I made new acls to see if I can essentailly create an unprotected network and a protected one. It doesnt seem best practice though and Im afraid to go with it without consulting those who are more Cisco savvy. Any insight or direction would be greatly appreciated!
Here are the ACLs I created to see if I can create an unprotected network that would not be affected by a WAN acl
WAN: DHCP
vlan100 (protected): 172.16.107.224/27
vlan101 (unprotected): 172.16.106.192/27
!
ip access-list extended wan-inbound
remark deny management services
deny tcp any any eq 22
deny tcp any any eq 23
deny tcp any any eq 80
deny tcp any any eq 443
deny udp any any eq snmp
remark deny spoofing-and-invalids
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
remark allow everything else
permit ip any any
!
ip access-list extended vlan100-protected-inbound
remark define wan-inbound and other-lan-networks-inbound rules
remark permit anything initiated from the lan
permit tcp any any established
remark permit DNS requests
permit udp any eq domain any
remark deny spoofing-mylan
deny ip 172.16.107.0 0.0.0.255 any
remark allow isp-dhcp-requests
permit udp any eq bootps any eq bootpc
remark allow icmp
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 172.16.107.224 0.0.0.31 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip any any log
!
ip access-list extended vlan101-unprotected-inbound
remark define wan-inbound and other-lan-networks-inbound rules
remark this is for devices like wireless router and gaming console
deny ip 172.16.107.192 0.0.0.31 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
ip access-list extended nat-overload-acl
remark nat these networks
permit ip 172.16.107.0 0.0.0.255 any
!
interface Vlan100
description internal-network
ip access-group vlan100-internal-inbound in
exit
interface Vlan101
description unprotected-network
ip access-group vlan101-unprotected-inbound in
exit
interface FastEthernet0
description INET
ip access-group wan-inbound in
exit
!
03-04-2014 09:44 AM
Ron
What is the main concern ie. is it you have to allow a lot of traffic back in via the WAN interface because of the gaming session ?
If so a solution may be reflexive acls which can dynamically allows ports back in depending on what you allow out.
Whether you device supports them or not i don't know as you haven't specified the model you are using.
Can you clarify what your main concern is ?
Jon
03-04-2014 02:49 PM
Jon,
Thanks so much for the reply! I'll have to look into relfexive acls and see if that's what I'm looking for. Under my
vlan100-protected-inbound acl I have 'permit tcp any any established' which I believe accomplishes any initiated sessions from the that lan. My main concern is the wan acl. I dont really like having 'permit any any' on the wan, but felt that is what I had to do to have a vlan that wouldn't be restricted by any acl statements for his gaming needs. Granted, I need to see an example of what game and what he claims is being affected by the current acl that I currently have on the wan, which right now is esentially what I have on vlan 100. I was looking for a solution in which he could plug into a port that is a member of 101, and wouldn't possibly have an issue with his games by an acl. Thanks so much again for your time!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide