Solved: ACL Help - Explanation to deny access to/from new subnets

sejamc71 · ‎04-21-2022

I am standing up 3 subnets on our core router. These will be routed through our core to our firewall and out to the internet. They will not be able to access any of our other internal networks or data. I am pretty new with ACLs and wanting to know if what I have makes sense and will work.

In our current network, we have a dmz 192.168.0.xxx/24 network, a production 172.16.xxx.xxx network and a PLC 10.100.xxx.xxx network. The 3 subnets I am standing up are 10.10.0.0/23, 10.10.0.2/23 and 10.10.0.4/23. I have rules in my firewall and will be utilizing the following ACL. Does this make sense and will it workj or is there a better way to do this?

ip access-list extended WG
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
deny ip 10.10.0.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.10.0.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.10.0.0 0.0.1.255 192.168.0.0 0.0.255.255
deny ip 10.10.2.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.10.2.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.10.2.0 0.0.1.255 192.168.0.0 0.0.255.255
deny ip 10.10.4.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.10.4.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.10.4.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip any any
permit tcp any any
!

Jon Marshall · ‎04-21-2022

Yep, that is the way I would do it and then just apply inbound to the L3 interface for each acl.

Jon

View solution in original post

Jon Marshall · ‎04-21-2022

Couple of things to note.

You don't need "permit tcp any any" at the end as "permit ip any any" covers TCP, UDP, ICMP etc.

Also I assume you have L3 interfaces on the core switch for the new subnets so I would do separate acls per subnet so you would end up with three acls although you can do it all in one and then apply the same acl to all three L3 interfaces.

The acl(s) would be applied inbound on the L3 interfaces.

Jon

sejamc71 · ‎04-21-2022

Based on what you stated, I've made the Permit statement change and separated these out into 3 different ACLs for simplification with a different one applying to each interface.

ip access-list extended WG1
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
deny ip 10.10.0.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.10.0.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.10.0.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip any any
!
ip access-list extended WG2
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
deny ip 10.10.2.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.10.2.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.10.2.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip any any
!
ip access-list extended WG3
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
deny ip 10.10.4.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.10.4.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.10.4.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip any any
!

Jon Marshall · ‎04-21-2022

Yep, that is the way I would do it and then just apply inbound to the L3 interface for each acl.

Jon

sejamc71 · ‎04-21-2022

Thank you