Solved: VLAN ACL Wireless Guest Help

burkmajo10 · ‎04-15-2013

Hello,

I am trying to move a DMZ wireless guest VLAN back inside our network so I control web access with our content filter better. I seem to be missing something in the ACL I built. I am trying to limit what the VLAN can get too mostly just a couple of internal servers and out to the internet. When I apply the ACL everything seems to work except the internet not sure what I am missing. I can ping the firewall 10.200.0.2, nslookup dns correctly 10.200.9.1 but I cannot browse the internet. If I turn the ACL off I can browse the internet just fine so I think I missed something in my ACL but I am not sure what. Any ideas?

Example of ACL

ip access-list extended in-wifi

permit ip 10.200.0.0 0.0.255.255 10.84.0.0 0.0.255.255

permit ip 10.100.0.0 0.0.255.255 10.84.0.0 0.0.255.255

permit ip host 10.84.0.1 10.84.0.0 0.0.255.255

permit udp any host 10.200.9.1 eq bootps ##DHCP

permit udp any host 10.200.9.1 eq bootpc ##DHCP

permit udp any host 10.200.9.1 eq domain ##DHCP

permit ip any host 10.200.0.2 ##Firewall

permit ip any host 10.84.0.1 ##VLAN 84 Gateway

permit ip any host 10.200.15.254 ##VLAN 200 Gateway

permit tcp any host 10.100.9.51 eq 80 ## Internal Web Server

permit tcp any host 10.100.9.51 eq 443 ## Internal Web Server

permit tcp any host 10.200.5.120 eq 80 ## Internal Web Server

permit tcp any host 10.200.5.120 eq 443## Internal Web Server

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any

Thanks in advance for any advice.

blau grana · ‎04-16-2013

Hello Burkmajo,

I think that your solution is little bit unfortunate. Vlan ACLs are typically used for filtering traffic inside same L2 domain (VLAN). I think that you should apply your ACL to VLAN 84 interface, it would be morecompendious.

interface Vlan 84

ip access-group in-wifi in

Now the problem with internet access. Your Vlan84 subnet is 10.84.0.0/22 and one line of your ACL in-wifi says ->

deny ip any 10.0.0.0 0.255.255.255

which means that any traffic [internet traffic] will be denied if it is destined to 10.0.0.0/8 [10.84.0.0/22 is part of it].

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

cadet alain · ‎04-15-2013

Hi,

can you post how the ACL is applied and tell us what is the DMZ network.

Regards

Alain

Don't forget to rate helpful posts.

burkmajo10 · ‎04-15-2013

Hi Alain,

Thanks for your response, I applied the above ACL to VLAN 84 like so:

vlan access-map map84 10

match ip address in-wifi

action forward

vlan filter map84 vlan-list 84

I am not sure what you meant by what is the DMZ network because I created VLAN 84 10.84.0.1/255.255.252.0 which will be replacing the current working DMZ VLAN 999 (which is not represented above 172.16.0.1/255.255.252.0) in an effort to move the VLAN from an outside VLAN to an inside VLAN.

The other VLAN represented above is VLAN 200 10.200.15.254/255.255.240.0

Hope that clarifies the question better.

blau grana · ‎04-16-2013