Solved: RESTRICT VLAN OR IP ADDRESS RANGE TO ONLY ONE SERVER

Jesutofunmi O · ‎02-07-2018

Hello,

I want to restrict a particular VLAN or IP address range to a particular server. I do not want this address range to have access to any other resource(s) on my LAN. Just the server. My infrastructure is such as;

ISP-->ASA FW (5515x)--->Switch--->Servers

Assuming the isolated VLAN is vlan8 with IP 1.1.1.1/24 and the server is 4.4.4.2. Please, how do I restrict access to this particular server only for Users on this VLAN while Users on other VLANs will not be able to access the Server. I have tried Access-list on the ASA. Seems not to work as other VLANs could still reach the server.

Expecting response.

Thank you.

Jesutofunmi O · ‎02-09-2018

Thanks Mark,

You gave me a major clue.

So this is what I did eventually;

access-list 100 permit ip 1.1.1.1 0.0.0.255 host 4.4.4.2
access-list 100 deny ip any host 4.4.4.2
access-list 100 permit ip any any

interface vlan 8

ip access-group 100 in

ip access-group 100 out

I have multiple vlans and I noticed that for some reason, some vlans could still access the server so what I did was to configure the access group under the vlan of the vlans that could still access the server and access was truncated.

This configuration was done on the core switch.

View solution in original post

Mark Malone · ‎02-07-2018

Hi
The access-list should be applied on the vlan interface inbound and out only permitting whats required , that will prevent anyone accessing the server , make sure the acl has reverse rules for each direction as its not stateless like firewalls , so something like below as an example

access-list 188 deny ip any host 4.4.4.2
access-list 188 deny ip host 4.4.4.2 any
access-list 188 permit ip any any

int vlan 8
ip access-group 188 in
ip access-group 188 out

Jesutofunmi O · ‎02-07-2018

Hey Mark,

Thanks for your response. I'm more confident. A CCIE holder!

1. Please, I do not see a "Permit" statement except the explicit permit statement on the last line (which i think its sort of an ACL rule). Is the first statement in the ACL supposed to be a permit statement please, seems to me like all is denied?

*access-list 188 deny ip any host 4.4.4.2*
access-list 188 deny ip host 4.4.4.2 any
access-list 188 permit ip any any

2. Please remember I said I want Users on vlan8 to be able to access this server. Just vlan 8. Plus, since my vlans are created on the core switch, will I call up vlan 8 on the ASA and then apply the ACL to the interface?

3. Does applying the above config to the vlan interface automatically allow that vlan to access the server?

Please clarify.

Jesutofunmi O · ‎02-09-2018