Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
5
Helpful
1
Replies

After Applying ACL, Not Able to Hit Internal Web Server

Go to solution
FoxtrotRomeo
Level 1
Level 1

‎04-08-2013 07:56 AM - edited ‎03-10-2019 12:21 PM

This isn't a big deal as the rest of the ACL works fine, but this is an annoynace since the web auth redirects to our company website (internal for now) after successful login.

We have a Cisco WLC that provides access to our production and guest wireless environments.  The guest environment of course is in a separate vlan (10.10.50.0/24).  So I created this ACL:

access-list 107 permit udp any host 10.10.2.13 eq bootpc <----internal DHCP server

access-list 107 permit udp any host 10.10.2.13 eq bootps

access-list 107 deny ip any 10.10.0.0 0.0.255.255 <---all internal networks

access-list 107 deny ip any 172.28.16.0 0.0.0.255 <----DR Network

access-list 107 permit ip any any

int vlan 50

Desc "Guest wireless network"

ip access-group 107 in

This ACL basically gives the wireless guests access to an internal DHCP server and full access to the internet.  For the 10.10.50.0/24 scope, the DHCP server assigns Internet DNS servers and my rationale is that wireless clients would access it via the external IP address but I suppose it doesn't work quite like that with the website being behind the same router as the client machines.  What's the best way to get this working? 


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
FoxtrotRomeo
Level 1
Level 1

‎04-08-2013 11:38 AM

Okay I fixed it.  Had a mental freeze.  If I want them to access an internal website on the internal LAN the machines need to use the internal DNS server.  I added the internal DNS servers to the DHCP scope for the guest network and then added them to the acl along with the web server IP and it works. 

Somehow I thought it was more secure to have the guests use an external DNS server.

View solution in original post

1 Reply 1

Go to solution
FoxtrotRomeo
Level 1
Level 1

‎04-08-2013 11:38 AM

Okay I fixed it.  Had a mental freeze.  If I want them to access an internal website on the internal LAN the machines need to use the internal DNS server.  I added the internal DNS servers to the DHCP scope for the guest network and then added them to the acl along with the web server IP and it works. 

Somehow I thought it was more secure to have the guests use an external DNS server.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card