02-08-2015 12:32 PM - edited 03-07-2019 10:33 PM
Hello,
I have a VLAN (Let's say it's a guest wireless VLAN). I would like to have the following rules:
I have been able to accomplish this with a temporary workaround using these rules:
access-list wireless-guest_access_in extended permit ip any host 172.20.20.25 access-list wireless-guest_access_in extended deny ip any 172.20.20.0 255.255.254.0 access-list wireless-guest_access_in extended deny ip any 172.21.20.0 255.255.255.0 access-list wireless-guest_access_in extended permit ip any any
But the problem here is that if I ever add a new VLAN I have to remember to put it in the DENY rule above.
The real thing that I would like to do is this:
Alas, I cannot do #2... I tried without success:
access-list wireless-guest_access_in extended permit ip any interface outside
P.S. I have an NATs set up also for all this which are:
object network network:all-traffic-wireless-outside subnet 0.0.0.0 0.0.0.0
object network network:all-traffic-wireless-outside nat (wireless-guest,outside) dynamic interface
object network network:all-traffic-wireless-inside nat (wireless-guest,inside) dynamic interface
Thanks for any input you may have.
02-09-2015 01:24 PM
You have to do the deny lines first because the internet IPs could be any.
There are a couple of approaches you could use -
1) depending on your devices you could use a VRF and just leak the specific host you want to allow.
But it could get a bit complicated depending on your setup.
2) An easier solution is, because your LAN is using private addressing, you can just summarise all 172.x.x.x private IPs with one line.
So your acl would be
permit ip any host 172.20.20.25
deny ip any 172.16.0.0 255.240.0.0
permit ip any any
so if you add another internal vlan using 172.x.x.x private addressing your acl will already cover it.
Note the vlans already in use are using private addressing as i said but for some reason you have used 172.20.x.x and 172.21.x.x.
You may be better to pick a common second octet.
If you did standardise on a second octet you could just summarise that.
Edit - the summarisation assumes that there are no remote 172.16.0.0/12 networks you want the wireless to access through the firewall.
They would only be via VPNs because these IPs are not routable on the internet.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide