Solved: access list to permit connection to remote site based on communi

jomo frank · ‎02-24-2012

Hello expert,

I have a member server in my remote branch (ip 10.40.10.10)

The branch is connected to central office via two links:-

•(1) 100 (mb ) wireless line and (2) 1 (mb) ip-dsl line.

The default (primary connection) is the wireless and the backup (failover) is the ip-dsl.

I would be appreciate if anyone can provide guidance how to create an access list

to allow a group of users (sec_group) stationed at central office to access files on the remote server only

when the communication is on wireless, if the wireless fails and ip_dsl is active the group of users(sec_group)

should not be allow to connect to the member server.

To summaries, if connection is wireless allow sec_group to connect.

If connection is ip_dsl disallow sec_group to connect if connected drop connection.

Regards

Jomo

Richard Burts · ‎02-29-2012

Jomo

I think that this access list is fine, assuming that 10.40.10.10 is the correct address for the single server for which you want to control access and that sec_group does accurately include the correct members of the security group. This access list would be applied outbound on the dsl interface at the central site.

HTH

Rick

HTH

Rick

View solution in original post

John Blakley · ‎02-24-2012

Jomo,

To clarify, you're wanting users at the central location to only access the member server at the branch site when the wireless is up? How is your routing set up between the 2 sites?

You could set up an eem script to apply an acl to the dsl site to deny those users inbound when the wireless link goes down.

John

HTH, John *** Please rate all useful posts ***

rizwanr74 · ‎02-24-2012

An IP-SLA and track condition can be used in this case.

What is the central office, user's ip segment?

thanks

Richard Burts · ‎02-24-2012

It seems to me that EEM scripts and IP SLA are very nice very sophisticated possible solutions. But it seems to me that there is perhaps a more simple solution. I would assume that traffic that is over wireless is on one layer 3 interface and traffic over the dsl is over a different layer 3 interface. In this case it would seem that an access list placed on the dsl interface could deny traffic from the sec group to the server and permit other traffic and would accomplish the objective.

HTH

Rick

HTH

Rick

John Blakley · ‎02-24-2012

Hehe.. And then there's that I over think sometimes...

HTH, John *** Please rate all useful posts ***

jomo frank · ‎02-27-2012

Hello Richard,

I like your suggestion i have enclose the two interface, I would be very grateful if you can provide an example of the access list using the info provided in the post.

interface GigabitEthernet0/0

description Wireless Interface

ip address 10.xxx.xxx.113 255.255.255.0

duplex auto

speed auto

interface GigabitEthernet0/1

description IP_DSL Interface

ip address 10.xx.xx.13 255.255.255.0

duplex auto

speed auto

Regards

jomo frank · ‎02-27-2012

hello Richard,

Below is an access list i created to be applied to the ip_dsl interface

In the object-group i include the list of users, Since the group of user reside at the central site i will apply same the

central site ip_dsl interface.

ip access-list extended No_Ip_Dsl_ACC

deny ip object-group sec_group host 10.40.10.10

permit ip any any

Could you please vet this access-list and see if it is okay.

Regards.

Jomo

jomo frank · ‎02-29-2012

Hello Richard,

Could you please vet same(previous post) and provide a feedback

Regards

Richard Burts · ‎02-29-2012

Jomo

I think that this access list is fine, assuming that 10.40.10.10 is the correct address for the single server for which you want to control access and that sec_group does accurately include the correct members of the security group. This access list would be applied outbound on the dsl interface at the central site.

HTH

Rick

HTH

Rick

access list to permit connection to remote site based on communication type.