Re: ACL to only allow Internet

Swaydan · ‎08-06-2018

Hello,

could someone please help me creating an ACL to allow only Internet traffic on GUEST VLAN?

DHCP/DNS Server IP: 192.168.1.247

Firewall IP: 192.168.1.1

GUEST VLAN: 192.168.12.0/24

This is what I am doing:

ip access-list extended GUEST
permit udp any host 192.168.1.247 eq 67
permit udp host 192.168.1.247 any eq 68
permit udp 192.168.12.0 0.0.0.255 host 192.168.1.247 eq 53
permit tcp 192.168.12.0 0.0.0.255 host 192.168.1.247 eq 53
permit tcp 192.168.12.0 0.0.0.255 host 192.168.1.1 eq 80
permit tcp 192.168.12.0 0.0.0.255 host 192.168.1.1 eq 443
deny ip any any

Interface VLAN 12

IP Access-group GUEST in

what am I doing wrong??

Thank you in advance

Swaydan

Georg Pauwen · ‎08-06-2018

Hello,

I made some changes/additions to your access list:

ip access-list extended GUEST
permit udp any host 192.168.1.247 eq 67
permit udp host 192.168.1.247 any eq 68
permit udp 192.168.12.0 0.0.0.255 host 192.168.1.247 eq 53
permit tcp 192.168.12.0 0.0.0.255 host 192.168.1.247 eq 53
permit tcp 192.168.12.0 0.0.0.255 host 192.168.1.1 eq 80
permit tcp 192.168.12.0 0.0.0.255 host 192.168.1.1 eq 443
deny ip 192.168.12.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.12.0 0.0.0.255 172.0.0.0 0.31.255.255
deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.12.0 0.0.0.255 any

Swaydan · ‎08-06-2018

Hello Georg,

Thank you for your reply

However with this Configuration "permit ip 192.168.12.0 0.0.0.255 any", VLAN 12 will have full Access to Firewall, i want to grant it only web traffic.

Thank you

Georg Pauwen · ‎08-06-2018

Hello,

use:

permit tcp 192.168.12.0 0.0.0.255 any eq www

as the last line instead.

Dennis Mink · ‎08-06-2018

rip that line out, so the implicit deny any falls out the bottom of your ACL,

add

permit tcp 192.168.12.0 0.0.0.255 any eq 443 / 80 on top of your denies

Please remember to rate useful posts, by clicking on the stars below.

Swaydan · ‎08-06-2018

I ended up using the below, but it is not secure, as VLAN 12 are able to access any internal web server! through the following line "permit tcp any any eq 80 / 443" :(

ip access-list extended GUEST
permit udp any any eq 67
permit udp any any eq 68
permit udp any host 192.168.1.247 eq 53
permit tcp any host 192.168.1.247 eq 53
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

Thank you

Georg Pauwen · ‎08-06-2018

Hello,

what are the IP addresses of the internal web servers ? Put a deny statement specifying these addresses above the permit any any...

Swaydan · ‎08-06-2018

Ok, i can live with this :)

However, i am still facing a DHCP issue when i remove "any any" from "permit udp any any eq 67 / 68"!

is there any security issue if i keep it with "any any"?

Thank you

Georg Pauwen · ‎08-06-2018

Hello,

basically, you only allow DHCP traffic from hosts on the subnet, so there is no security risk.

Instead of:

permit udp any any eq 67
permit udp any any eq 68

you could also use:

permit udp any eq bootpc any eq bootps

Swaydan · ‎08-08-2018

Hello Georg,

Sorry for the late feedback.

we can consider the DHCP/DNS issue fixed, but i am facing an issue with internet access, the below two lines only allow http and https access through browsers, but all other applications such as Whatsapp, are not working!

permit tcp any any eq 80
permit tcp any any eq 443

Any suggestions?

Thanks a lot

Ali