Re: I need help to set a ACL in my network

nowak-kacper99 · ‎01-22-2025

Can someone help me create ACL? I want to got acl for 192.168.x.0, x=vlan 10,30,40,100 in site a and this network should got access to some dmz servers. Server ip FTP - 10.66.0.3, HTTPS-Syslog - 10.66.0.2, Email - 10.66.0.4 DNS - 10.66.0.5, vlan 20,220
and 120 from site b should got access to email, HTTPS and dns server, vlan 100- admins should can ping all the networks and different vlan should't can see other vlans with the exception of vlans 20,120,220.

Below I attach the Packet Tracer file

We appreciate your help

Gerard Paulino · ‎01-22-2025

mmm two seconds on chatgpt:

I'll help you create ACLs for this scenario. Let me break this down into clear requirements first:

Site A:

VLANs: 10, 30, 40, 100 (networks: 192.168.10.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.100.0/24)
Need access to DMZ servers:
- FTP (10.66.0.3)
- HTTPS/Syslog (10.66.0.2)
- Email (10.66.0.4)
- DNS (10.66.0.5)

Site B:

VLANs: 20, 120, 220
Need access to:
- Email (10.66.0.4)
- HTTPS (10.66.0.2)
- DNS (10.66.0.5)

Special Requirements:

VLAN 100 (admin) needs ping access to all networks
VLANs 20, 120, 220 can communicate with each other
Other VLANs should not see each other

Result:

! ACL for Site A VLANs (10,30,40) access to DMZ

ip access-list extended SITE_A_TO_DMZ

permit tcp 192.168.10.0 0.0.0.255 host 10.66.0.3 eq ftp

permit tcp 192.168.10.0 0.0.0.255 host 10.66.0.2 eq 443

permit tcp 192.168.10.0 0.0.0.255 host 10.66.0.4 eq smtp

permit udp 192.168.10.0 0.0.0.255 host 10.66.0.5 eq domain

permit tcp 192.168.30.0 0.0.0.255 host 10.66.0.3 eq ftp

permit tcp 192.168.30.0 0.0.0.255 host 10.66.0.2 eq 443

permit tcp 192.168.30.0 0.0.0.255 host 10.66.0.4 eq smtp

permit udp 192.168.30.0 0.0.0.255 host 10.66.0.5 eq domain

permit tcp 192.168.40.0 0.0.0.255 host 10.66.0.3 eq ftp

permit tcp 192.168.40.0 0.0.0.255 host 10.66.0.2 eq 443

permit tcp 192.168.40.0 0.0.0.255 host 10.66.0.4 eq smtp

permit udp 192.168.40.0 0.0.0.255 host 10.66.0.5 eq domain

deny ip any any

! ACL for Site B VLANs (20,120,220) access to specific DMZ servers ip access-list extended SITE_B_TO_DMZ

permit tcp 192.168.20.0 0.0.0.255 host 10.66.0.4 eq smtp

permit tcp 192.168.20.0 0.0.0.255 host 10.66.0.2 eq 443

permit udp 192.168.20.0 0.0.0.255 host 10.66.0.5 eq domain

permit tcp 192.168.120.0 0.0.0.255 host 10.66.0.4 eq smtp

permit tcp 192.168.120.0 0.0.0.255 host 10.66.0.2 eq 443

permit udp 192.168.120.0 0.0.0.255 host 10.66.0.5 eq domain

permit tcp 192.168.220.0 0.0.0.255 host 10.66.0.4 eq smtp

permit tcp 192.168.220.0 0.0.0.255 host 10.66.0.2 eq 443

permit udp 192.168.220.0 0.0.0.255 host 10.66.0.5 eq domain

deny ip any any

! ACL for Admin VLAN 100 - allowing ping to all networks

ip access-list extended ADMIN_VLAN_100

permit icmp 192.168.100.0 0.0.0.255 any

permit ip 192.168.100.0 0.0.0.255 any

deny ip any any

! ACL for inter-VLAN communication between Site B VLANs

ip access-list extended SITE_B_INTER_VLAN

permit ip 192.168.20.0 0.0.0.255 192.168.120.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 192.168.220.0 0.0.0.255

permit ip 192.168.120.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.120.0 0.0.0.255 192.168.220.0 0.0.0.255

permit ip 192.168.220.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.220.0 0.0.0.255 192.168.120.0 0.0.0.255

deny ip any any

I encourage you to do it yourself and check the result

nowak-kacper99 · ‎01-22-2025

@Gerard Paulino ye but it doesnt work, if it will be fine i dont want to help

Flavio Miranda · ‎01-22-2025

@nowak-kacper99

I believe the file attached must attend most of your requirements.

nowak-kacper99 · ‎01-22-2025

Hey bro, i got a last request. Could u try to do this for my. If u do that u will be my guardian angel:

Site A:
- Network: 192.168.x.0 (where x = VLANs 10, 20 ,30, 40, 100 ,120 ,220)
- VLANs 10, 30, and 40:
  - Should not have visibility to VLANs 20, 120, and 220 and between VLANs 10 ,30 ,40.
  - Should have access to the following DMZ Servers:
    - FTP Server IP: 10.66.0.3
    - HTTPS-Syslog Server IP: 10.66.0.2
    - Email Server IP: 10.66.0.4
    - DNS Server IP: 10.66.0.5
Site B:
- VLAN 120:
  - Should not have visibility to VLANs 10, 30, 40 and 100.
  - Should have access to the following DMZ Servers (excluding FTP):
    - Email Server IP: 10.66.0.4
    - HTTPS-Syslog Server IP: 10.66.0.2
    - DNS Server IP: 10.66.0.5
Common VLANs (20 and 220):
- VLANs 20 and 220:
  - Should not have visibility to VLANs 10, 30, 40 and 100.
  - Should have access to the following DMZ Servers (excluding FTP):
    - HTTPS-Syslog Server IP: 10.66.0.2
    - Email Server IP: 10.66.0.4
    - DNS Server IP: 10.66.0.5
Admin Access:
- VLAN 100 (Admins):
  - Should have access to everything, including:
    - All DMZ servers (FTP, HTTPS-Syslog, Email, DNS)
    - Ability to ping all networks
    - Visibility to all other VLANs.
VLAN Visibility Summary:
1. VLANs 10, 30, and 40: Should not see or communicate with each other.
2. VLANs 20, 120, and 220: Should not see or communicate with any other VLANs.
NAT Access:
- All VLANs: Should have access to the NAT network for outbound internet connectivity

Flavio Miranda · ‎01-22-2025

@nowak-kacper99

Take the Access list I applied to the router below and use as example. Get busy man! We are not here to do your assignment. We can help you in specific subjects.

nowak-kacper99 · ‎01-22-2025

great thanks man