Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
0
Replies

Help simplifying a ACL on our network

tim829
Level 1
Level 1

‎02-18-2021 08:08 AM

Bottom line is I struggle with ACLs and I feel like there should be a simpler way to do than what I currently have implemented. 

 

We're providing network/wireless/internet resources to another "business" that is loosely associated with us. Obviously this brings up security concerns as we need segregation between us so I'm trying to accomplish this through ACLs. 

 

I have them setup on a separate VLAN (428) and have the following ACL configured which works:

 

interface Vlan428
description Business
ip address 10.42.67.1 255.255.255.0
ip access-group Inbound-Business in
ip helper-address 10.15.60.2
ip helper-address 10.15.60.3

ip access-list extended Inbound-Business
 permit icmp any any
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit udp 10.42.67.0 0.0.0.255 host 10.15.60.2 range bootps bootpc
 permit udp 10.42.67.0 0.0.0.255 host 10.15.60.3 range bootps bootpc
 permit udp 10.42.67.0 0.0.0.255 host 10.15.60.2 eq domain
 permit udp 10.42.67.0 0.0.0.255 host 10.15.60.3 eq domain
  permit tcp 10.42.67.0 0.0.0.255 host 10.15.60.6 eq 2222
 permit tcp 10.42.67.0 0.0.0.255 host 10.15.60.6 eq 2221
 permit tcp 10.42.67.0 0.0.0.255 any eq www
 permit tcp 10.42.67.0 0.0.0.255 any eq 443
 permit udp 10.42.67.0 0.0.0.255 any eq 443
 permit udp 10.42.67.0 0.0.0.255 any eq 5222
 permit tcp 10.42.67.0 0.0.0.255 any eq 5222
 permit udp 10.42.67.0 0.0.0.255 any eq 5228
 permit tcp 10.42.67.0 0.0.0.255 any eq 5228
 permit tcp 10.42.67.0 0.0.0.255 eq 5900 any
 deny   ip any any

Now the issue I'm running into is the couple computers they have are on our domain so I'm having to open up domain specific resources to the DCs (10.15.60.2 & 10.15.60.3) for the computers, also other web resources (mainly Google stuff), and communication to the ESET server (10.15.60.6) to get updates and allow communication.

 

I want to get away from having to define specific resources and ports in the ACL. I want to allow their VLAN to access everything on the Internet, both DCs, and the ESET server but block outgoing communication with every other VLAN on our network. I'm not worried about other VLANS being able to access them, just not the other way around.

 

Thanks

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card