Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
0
Helpful
1
Replies

Allow traffic from a vlan to the outside, with exceptions

Brendan Wood
Level 1
Level 1

‎02-08-2015 12:32 PM - edited ‎03-07-2019 10:33 PM

Hello,

 

I have a VLAN (Let's say it's a guest wireless VLAN).   I would like to have the following rules:

  1. Allow traffic to one server on the inside (172.20.20.25).
  2. Allow traffic to the internet without restriction.
  3. Do no allow any other traffic to the inside (172.20.20.0), or the DMZ (172.21.20.0) at all apart from #1.

 

I have been able to accomplish this with a temporary workaround using these rules:

access-list wireless-guest_access_in extended permit ip any host 172.20.20.25 
access-list wireless-guest_access_in extended deny ip any 172.20.20.0 255.255.254.0 
access-list wireless-guest_access_in extended deny ip any 172.21.20.0 255.255.255.0 
access-list wireless-guest_access_in extended permit ip any any

 

But the problem here is that if I ever add a new VLAN I have to remember to put it in the DENY rule above.

 

The real thing that I would like to do is this:

  1. Permit server inside (.25)
  2. Permit stuff to the outside.
  3. Deny everything else.

 

Alas, I cannot do #2... I tried without success:

access-list wireless-guest_access_in extended permit ip any interface outside

 

P.S. I have an NATs set up also for all this which are:

object network network:all-traffic-wireless-outside
 subnet 0.0.0.0 0.0.0.0
object network network:all-traffic-wireless-outside
 nat (wireless-guest,outside) dynamic interface

object network network:all-traffic-wireless-inside
 nat (wireless-guest,inside) dynamic interface

 

Thanks for any input you may have.

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎02-09-2015 01:24 PM

You have to do the deny lines first because the internet IPs could be any.

There are a couple of approaches you could use -

1) depending on your devices you could use a VRF and just leak the specific  host you want to allow.

But it could get a bit complicated depending on your setup.

2) An easier solution is, because your LAN is using private addressing, you can just summarise all 172.x.x.x private IPs with one line.

So your acl would be 

permit ip any host 172.20.20.25
deny ip any 172.16.0.0 255.240.0.0
permit ip any any

so if you add another internal vlan using 172.x.x.x private addressing your acl will already cover it.

Note the vlans already in use are using private addressing as i said but for some reason you have used 172.20.x.x and 172.21.x.x.

You may be better to pick a common second octet.

If you did standardise on a second octet you could just summarise that.

Edit - the summarisation assumes that there are no remote 172.16.0.0/12 networks you want the wireless to access through the firewall.

They would only be via VPNs because these IPs are not routable on the internet.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card