02-07-2018 05:39 AM - edited 03-08-2019 01:44 PM
Hello,
I want to restrict a particular VLAN or IP address range to a particular server. I do not want this address range to have access to any other resource(s) on my LAN. Just the server. My infrastructure is such as;
ISP-->ASA FW (5515x)--->Switch--->Servers
Assuming the isolated VLAN is vlan8 with IP 1.1.1.1/24 and the server is 4.4.4.2. Please, how do I restrict access to this particular server only for Users on this VLAN while Users on other VLANs will not be able to access the Server. I have tried Access-list on the ASA. Seems not to work as other VLANs could still reach the server.
Expecting response.
Thank you.
Solved! Go to Solution.
02-09-2018 10:28 AM
Thanks Mark,
You gave me a major clue.
So this is what I did eventually;
access-list 100 permit ip 1.1.1.1 0.0.0.255 host 4.4.4.2
access-list 100 deny ip any host 4.4.4.2
access-list 100 permit ip any any
interface vlan 8
ip access-group 100 in
ip access-group 100 out
I have multiple vlans and I noticed that for some reason, some vlans could still access the server so what I did was to configure the access group under the vlan of the vlans that could still access the server and access was truncated.
This configuration was done on the core switch.
02-07-2018 07:28 AM
02-07-2018 07:48 AM - edited 02-07-2018 07:51 AM
Hey Mark,
Thanks for your response. I'm more confident. A CCIE holder!
1. Please, I do not see a "Permit" statement except the explicit permit statement on the last line (which i think its sort of an ACL rule). Is the first statement in the ACL supposed to be a permit statement please, seems to me like all is denied?
*access-list 188 deny ip any host 4.4.4.2*
access-list 188 deny ip host 4.4.4.2 any
access-list 188 permit ip any any
2. Please remember I said I want Users on vlan8 to be able to access this server. Just vlan 8. Plus, since my vlans are created on the core switch, will I call up vlan 8 on the ASA and then apply the ACL to the interface?
3. Does applying the above config to the vlan interface automatically allow that vlan to access the server?
Please clarify.
02-09-2018 10:28 AM
Thanks Mark,
You gave me a major clue.
So this is what I did eventually;
access-list 100 permit ip 1.1.1.1 0.0.0.255 host 4.4.4.2
access-list 100 deny ip any host 4.4.4.2
access-list 100 permit ip any any
interface vlan 8
ip access-group 100 in
ip access-group 100 out
I have multiple vlans and I noticed that for some reason, some vlans could still access the server so what I did was to configure the access group under the vlan of the vlans that could still access the server and access was truncated.
This configuration was done on the core switch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide