07-11-2013 12:44 PM - edited 03-07-2019 02:21 PM
I am trying to create an extended access list based on the scenario in the diagram.
I have wireless LAN on 10.xxx.xxx.xx. I do not want the these clients access my LAN on 128.1.xxx.xxx, 172.18.xxx.xxx or 172.19.xxx.xxx.
However, I want them access the core switch and also the UTM Firewall inorder to have access to Internet.
I also want the network admin on LAN be able to access the DHCP server for the WLAN.
Any client that try to access the access point should also be able to receive a lease from the DHCP server 10.0.0.1.
The WLAN is connected to interface 4/1 on the core switch to which command "ip access-group wireless in" was applied.
access list:
ip access-list extended wireless
permit ip host 10.0.0.1 host 172.19.aaa.bbb
permit ip 10.0.0.0 0.0.0.255 host ipofUTM
permit ip 10.0.0.0 0.0.0.255 host ipofCORE
I am not bale to receive any lease after this.
07-11-2013 01:12 PM
I'm going to assume you have a WLAN controller connected to the core switch so the below example is related to that. If you have a different setup please elaborate:
Ok so on the core you'll need a VLAN for your WLAN. Lets say its vlan 10. So under that VLAN you'll do
"ip-helper address 10.0.0.1"
Then the ACL can be something like this.
ip access-list extended wireless
permit ip host 10.0.0.1 host 172.19.aaa.bbb
deny ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 172.19.0.0 0.0.0.255
permit ip any any
07-11-2013 02:11 PM
Mohammad Ali wrote:
I'm going to assume you have a WLAN controller connected to the core switch so the below example is related to that. If you have a different setup please elaborate:
Ok so on the core you'll need a VLAN for your WLAN. Lets say its vlan 10. So under that VLAN you'll do
"ip-helper address 10.0.0.1"
Then the ACL can be something like this.
ip access-list extended wireless
permit ip host 10.0.0.1 host 172.19.aaa.bbb
deny ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 172.19.0.0 0.0.0.255
permit ip any any
I do not have an WLAN controller as of now.
I have specified a VLAN and ip helper address for the same too in the core.
I tried out what you said
interface GigabitEthernet4/1
switchport access vlan 200
switchport mode access
ip access-group wireless in
ip access-list extended wireless
permit ip host 10.0.0.1 host 172.19.aaa.bbb
permit ip 10.0.0.0 0.255.255.255 host 128.1.xxx.yyy [where 128.1.xxx.yyy is my firewall]
permit ip 10.0.0.0 0.255.255.255 host 128.1.aaa.bbb [where 128.1.aaa.bbb is my core]
deny ip 10.0.0.0 0.255.255.255 172.18.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 172.19.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 128.1.0.0 0.0.248.255
permit ip any any
!
But any lease on my WLAN is able to ping my LAN still.
07-11-2013 02:18 PM
You need this command under VLAN SVI
ip access-group wireless in
07-13-2013 02:28 AM
Mohammad Ali wrote:
You need this command under VLAN SVI
ip access-group wireless in
Thank You Mohammed. Thank seem to do the required. But I do face a slight issue.
There is an issue with ping to My LAN being shown as Destination net unreachable than showing Request timed out.
Update:
After a few check I have serious issue cause of this access list. The phone look for the exchange and other services locally than take the route to firewall and access over Internet.
07-15-2013 01:21 PM
Any help ? I'm totally lost.
07-15-2013 05:19 PM
Hi Jobin,
where did you applied your wireless acl? interface vlan 200 or interface GigabitEthernet4/1? you should apply your acl in vlan 200.
btw, i see you are trying pinging while i can't see a acl entry for icmp in your access-list (e.g. permit icmp any any).
in your update, you said your phone look for exchange locally then over internet? which vlan is your phone in? do you mean you changed wireless acl and it affects other service in other vlan?
07-18-2013 02:15 AM
Thomas Fan wrote:
Hi Jobin,
where did you applied your wireless acl? interface vlan 200 or interface GigabitEthernet4/1? you should apply your acl in vlan 200.
btw, i see you are trying pinging while i can't see a acl entry for icmp in your access-list (e.g. permit icmp any any).
in your update, you said your phone look for exchange locally then over internet? which vlan is your phone in? do you mean you changed wireless acl and it affects other service in other vlan?
I applied it on Interface VLAN 200.
Regarding the phones what I meant is, the phones that are using VLAN 200 rather than going through the firewall and taking the external route, is not delivering the local service of exchange and lync cos of the destination unreachable issue shown in the ping.
The devices on VLAN 200 now recognizes that there is local route, rather than trying through the firewall over the Internet for the same.
07-24-2013 10:32 AM
Ok so VLAN 200 is the wireless VLAN and you don't want users to be able to your other VLAN's. You were able to accomoplish this via the ACL but now you have an issue with the VoIP phones that are sitting on the VLAN 200. So they need to be able to reach their phone switch etc. You'll need to update the access list to allow VLAN 200 access to devices that are handling all that.
07-24-2013 01:44 PM
Mohammed Thanks for the reply. The real requirement is an isolated network within th epresent network to handle Wireless connection.
But also the device needs to access the Firewall via the same core.
Though it is a partial sucess I still have the wireless accessing device recognizig the other VLANs.
07-24-2013 02:14 PM
Hello
you could also try removing the wlan vlan from the trunks of the other switches.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
07-26-2013 07:59 AM
I am confused you do not want the traffic from Wireless VLAN to reach the internal networks such as 172.x.x.x but you are also trying to ping one of the IP's on the 172.x.x.x network and saying that you can't ping it. Secondly you are also saying that the phones that are on Wireless VLAN 200 they are not working which most likely is because the back end infrastructure for the phones is residing on the 172.x.x.x network. So can you elabore what exactly are you trying to accomplish, do you want to be able to access 172.x.x.x network from Wireless VLAN 200 or no?
08-06-2013 01:45 AM
Thank you for the reply.
The reason for trying to ping 172.x.x.x was just to make sure that there is no sort of communcation. But what i am receieving ratherthan time our is destination unreachable.
The real requirement is that the WLAN 200 shoudl not know or reach internal network but have all it resources taken through the firewall over internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide