04-15-2013 11:00 AM - edited 03-04-2019 07:36 PM
Hello,
I am trying to move a DMZ wireless guest VLAN back inside our network so I control web access with our content filter better. I seem to be missing something in the ACL I built. I am trying to limit what the VLAN can get too mostly just a couple of internal servers and out to the internet. When I apply the ACL everything seems to work except the internet not sure what I am missing. I can ping the firewall 10.200.0.2, nslookup dns correctly 10.200.9.1 but I cannot browse the internet. If I turn the ACL off I can browse the internet just fine so I think I missed something in my ACL but I am not sure what. Any ideas?
Example of ACL
ip access-list extended in-wifi
permit ip 10.200.0.0 0.0.255.255 10.84.0.0 0.0.255.255
permit ip 10.100.0.0 0.0.255.255 10.84.0.0 0.0.255.255
permit ip host 10.84.0.1 10.84.0.0 0.0.255.255
permit udp any host 10.200.9.1 eq bootps ##DHCP
permit udp any host 10.200.9.1 eq bootpc ##DHCP
permit udp any host 10.200.9.1 eq domain ##DHCP
permit ip any host 10.200.0.2 ##Firewall
permit ip any host 10.84.0.1 ##VLAN 84 Gateway
permit ip any host 10.200.15.254 ##VLAN 200 Gateway
permit tcp any host 10.100.9.51 eq 80 ## Internal Web Server
permit tcp any host 10.100.9.51 eq 443 ## Internal Web Server
permit tcp any host 10.200.5.120 eq 80 ## Internal Web Server
permit tcp any host 10.200.5.120 eq 443## Internal Web Server
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
Thanks in advance for any advice.
Solved! Go to Solution.
04-16-2013 10:47 AM
Hello Burkmajo,
I think that your solution is little bit unfortunate. Vlan ACLs are typically used for filtering traffic inside same L2 domain (VLAN). I think that you should apply your ACL to VLAN 84 interface, it would be morecompendious.
interface Vlan 84
ip access-group in-wifi in
Now the problem with internet access. Your Vlan84 subnet is 10.84.0.0/22 and one line of your ACL in-wifi says ->
deny ip any 10.0.0.0 0.255.255.255
which means that any traffic [internet traffic] will be denied if it is destined to 10.0.0.0/8 [10.84.0.0/22 is part of it].
Best Regards
Please rate all helpful posts and close solved questions
04-15-2013 11:30 AM
Hi,
can you post how the ACL is applied and tell us what is the DMZ network.
Regards
Alain
Don't forget to rate helpful posts.
04-15-2013 12:57 PM
Hi Alain,
Thanks for your response, I applied the above ACL to VLAN 84 like so:
vlan access-map map84 10
match ip address in-wifi
action forward
vlan filter map84 vlan-list 84
I am not sure what you meant by what is the DMZ network because I created VLAN 84 10.84.0.1/255.255.252.0 which will be replacing the current working DMZ VLAN 999 (which is not represented above 172.16.0.1/255.255.252.0) in an effort to move the VLAN from an outside VLAN to an inside VLAN.
The other VLAN represented above is VLAN 200 10.200.15.254/255.255.240.0
Hope that clarifies the question better.
04-16-2013 10:47 AM
Hello Burkmajo,
I think that your solution is little bit unfortunate. Vlan ACLs are typically used for filtering traffic inside same L2 domain (VLAN). I think that you should apply your ACL to VLAN 84 interface, it would be morecompendious.
interface Vlan 84
ip access-group in-wifi in
Now the problem with internet access. Your Vlan84 subnet is 10.84.0.0/22 and one line of your ACL in-wifi says ->
deny ip any 10.0.0.0 0.255.255.255
which means that any traffic [internet traffic] will be denied if it is destined to 10.0.0.0/8 [10.84.0.0/22 is part of it].
Best Regards
Please rate all helpful posts and close solved questions
04-17-2013 09:07 AM
Hello Blau grana,
That was exactly what I missing. Also,explaning a better way to apply the ACL was helpful.
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide