Re: Cisco Access Control Lists

olsonkyle12 · ‎06-13-2011

Hello,

I have a network that has 3 subnets (10.234.240.0/24; 10.234.241.0/24; 10.234.242.0/24). Within each of these networks I have several servers. For purporse of example, all assign the following IP addresses:

Server 1, 10.234.240.10

Server 2, 10.234.241.10

Server 3, 10.234.242.10

All 3 of these servers reside on the same Layer 3 switch and the Layer 3 switch has the following Default Gateway: 0.0.0.0 0.0.0.0 10.234.240.5, that default gateway points to an ASA firewall which then goes to the internet.

I'd like to restrict all but the servers listed above from being able to reach the internet, but I'd like to provide the access control list on the Layer 3 switch that all these devices are plugged into. So essentially, unless it's listed above, the ACL will restrict anything else from reach the default gateway.

My question is; how do I configure this, or can someone provide me with an example?

Antonio Knox · ‎06-13-2011

You will need to apply the following.

access-list 101 permit ip host 10.234.240.10 0.0.0.255 any

access-list 101 permit ip host 10.234.241.10 0.0.0.255 any

access-list 101 permit ip host 10.234.242.10 0.0.0.255 any

or

access-list 102 permit ip host 10.234.240.10 0.0.0.255 any

access-list 102 permit ip host 10.234.240.0 0.0.0.255 10.234.240 0.0.3.255

access-list 103 permit ip host 10.234.241.10 0.0.0.255 any

access-list 103 permit ip host 10.234.241.0 0.0.0.255 10.234.240 0.0.3.255

access-list 104 permit ip host 10.234.242.10 0.0.0.255 any

access-list 104 permit ip host 10.234.242.0 0.0.0.255 10.234.240 0.0.3.255

Then apply it to your outbound interface connected to your firewall

Now the question becomes what is the configuration of the switch connected to the ASA? Is it a routed port or a switchport?

Routed

interface fastethernet0/1

ip address 10.234.240.4 255.255.255.0

Switched

interface fastethernet0/1

switchport mode access

switchport access vlan 10

This will determine where you place your ACL. If it is a routed port then:

int fa0/1

ip access-group 101 in

If it is a switched port then the would be a bit different.

int vlan 10

ip access-group 10[1|2|3] in

For each addressed vlan you have in this example.

Message was edited by: Antonio Knox, Edison has a perfect example that he posted before I cleaned up my post.

Edison Ortiz · ‎06-13-2011

On the switch, under SVI for 10.234.240.x/24

access-list 101 permit ip 10.234.240.10 any

access-list 101 permit ip 10.234.240.0 0.0.0.255 10.234.240.0 0.0.3.255

interface vlan x

ip access-group 101 in

under SVI for 10.234.241.x/24

access-list 102 permit ip 10.234.241.10 any

access-list 101 permit ip 10.234.241.0 0.0.0.255 10.234.240.0 0.0.3.255

interface vlan x

ip access-group 102 in

under SVI for 10.234.242.x/24

access-list 103 permit ip 10.234.242.10 any

access-list 103 permit ip 10.234.242.0 0.0.0.255 10.234.240.0 0.0.3.255

interface vlan x

ip access-group 103 in

Regards,

Edison

Jon Marshall · ‎06-13-2011

Kyle

Assuming that you want the 3 subnets to be able to communicate with each other the logic of the acl is -

1) permit each subnet to talk to the other subnets

2) permit the server to talk to any address (ie. the internet)

3) deny the rest of the subnet from talking to any address - note you have already allowed the rest of the subnet to talk to the other subnets in step 1).

So an example for subnet 10.234.240.0/24 would be -

access-list 101 permit ip 10.234.240.0 0.0.0.255 10.234.241.0 0.0.0.255

access-list 101 permit ip 10.234.240.0 0.0.0.255 10.234.242.0 0.0.0.255

access-list 101 permit ip host 10.234.240.10 any

access-list 101 deny ip 10.234.240.0 0.0.0.255 any

you then need acl 102 and acl 103 for the other subnets.

Note though that because your ASA default-gateway is in 10.234.240.0/24 subnet then a client could simply set it's DG to be the ASA so you need to either -

1) block 10.234.240.x traffic on ASA

or

2) if you want to do it all on the switch create a separate vlan or P2P link between the switch and the ASA

Edit - Edison's acl example is a better one to use.

Jon

Antonio Knox · ‎06-13-2011

Excellent point by Jon about the default gateway.