Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1335
Views
0
Helpful
1
Replies

Need help with ACL to only allow DHCP DNS and Internet.

dtzips
Level 1
Level 1

‎06-27-2021 09:25 PM

Hello,

 

I am new to making ACLs and I have been trying to apply one on a VLAN for the purpose of learning. This ACL should only allow access to the internet, DHCP, and DNS. So far, when plugging a pc into the correct switchport for the VLAN I get an IP address, but can not access the internet. This ACL is on VLAN 30.

 

My router is 10.0.1.101 and my switch is 10.0.1.102 for reference.

 

Here is my running configuration on the switch with my attempt of creating the ACL for the Guest VLAN:

 

MLS#show run
Building configuration...

Current configuration : 5726 bytes
!
! Last configuration change at 09:18:55 UTC Sat Mar 6 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MLS
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool VLAN_30
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 8.8.8.8 8.8.4.4
!
!
ip dhcp pool VLAN_20
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 8.8.8.8 8.8.4.4
!
!
!
!
crypto pki trustpoint TP-self-signed-2834786944
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2834786944
 revocation-check none
 rsakeypair TP-self-signed-2834786944
!
!
crypto pki certificate chain TP-self-signed-2834786944
 certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383334 37383639 3434301E 170D3933 30333031 30303031
  32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38333437
  38363934 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C16F E0E8F6C1 322F21E8 C7FD1C6B 79E08438 AE791B61 04264B89 4524E9E2
  73652C5B 2FC17133 9D99A4AC 49F6A8A0 66894FAD 86869C33 163C4690 FD805683
  D8E0652B AB439065 15873875 C440DD9B 685413FC C375C0D9 0B906DD7 2F8C73DF
  3A3964A5 B3693B84 853A8DB5 792F52CD A38CC91A 56E697D2 DB741276 095C74DC
  BF690203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
  551D1104 07300582 034D4C53 301F0603 551D2304 18301680 14580F20 DF95EB79
  1537B233 8B369735 6BBACCE2 A2301D06 03551D0E 04160414 580F20DF 95EB7915
  37B2338B 3697356B BACCE2A2 300D0609 2A864886 F70D0101 04050003 81810005
  75E856D3 20536E65 C2527DBD 68AE39FC 9F6D73E7 4391F488 E194B646 6D20D31E
  9CCC3A73 80DCA199 AAB62476 044672F0 2AA9BAB3 EEB9EFFF 87F8A7E4 565A05E9
  3333AEEC CF3AC750 DFF9D648 BC08CCA1 93BFE0E0 469F2C00 DFAC79BE FFD9D58D
  8AEBD78C ECCA178C 5D31AC79 5A667679 59D270CA 2BABBBA7 3F51EE2E E8F5BA
        quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
!
interface GigabitEthernet1/0/1
 no switchport
 ip address 10.0.1.102 255.255.255.252
 ip ospf network point-to-point
 speed 100
!
interface GigabitEthernet1/0/2

!
interface GigabitEthernet1/0/3
 description Guest_Access
 switchport access vlan 30
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 switchport access vlan 20
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
 no ip address
 shutdown

!
interface Vlan20
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan30
 ip address 192.168.3.1 255.255.255.0
 ip access-group Inbound-Guest in
!
router ospf 1
 network 10.0.1.100 0.0.0.3 area 0
 network 192.168.2.0 0.0.0.255 area 0
 network 192.168.3.0 0.0.0.255 area 0
!
ip http server
ip http secure-server
!
!
ip access-list extended Inbound-Guest
 permit icmp any any
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit udp 192.168.3.0 0.0.0.255 host 10.0.1.102 range bootps bootpc
 permit tcp 192.168.3.0 0.0.0.255 host 10.0.1.102 eq domain
 permit udp 192.168.3.0 0.0.0.255 host 10.0.1.102 eq domain
 permit tcp 192.168.3.0 0.0.0.255 any eq www
 permit tcp 192.168.3.0 0.0.0.255 any eq 443
 deny   ip any any log
!
logging esm config
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

Please let me know what I need to change to get this working.

 

Additionally, what would I need to do to allow access to a game server on a custom port if I ever wanted to add one? Is it as simple as 'permit tcp 192.168.3.0 0.0.0.255 host ServerIP eq customport' ?

 

Thanks!

 

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-28-2021 12:07 AM - edited ‎06-28-2021 12:30 AM

Hello @dtzips ,

the issue is not in the ACL you are missing the configuration of NAT.

the VLAN 30 subnet 192.168.3.0/24 is a private IP address and it cannot be routed over the internet.

 

Edit: I see you have reported the switch confguration given the high number of ports.

 

>>>> you need  to configure NAT in the external router the one with IP address 10.0.1.101, a switch does not support NAT, so consider the following just an example

 

int gix/y

desc to switch

ip nat inside

 

int gix/z

desc to ISP

ip nat outside

 

access-list 130 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 130 permit ip 192.168.3.0 0.0.0.255 any

 

route-map NAT permit 10

match address 130

 

ip nat inside source route-map NAT interface gix/z overload

 

 

 

As I have explained these IP addresses need to be translated to have internet connectivity this can happen only on the external router if the local device is a switch

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card