Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5064
Views
0
Helpful
3
Replies

RESTRICT VLAN OR IP ADDRESS RANGE TO ONLY ONE SERVER

Go to solution
Jesutofunmi O
Level 1
Level 1

‎02-07-2018 05:39 AM - edited ‎03-08-2019 01:44 PM

Hello,

I want to restrict a particular VLAN or IP address range to a particular server. I do not want this address range to have access to any other resource(s) on my LAN. Just the server. My infrastructure is such as;

 

ISP-->ASA FW (5515x)--->Switch--->Servers

 

Assuming the isolated VLAN is vlan8 with IP 1.1.1.1/24 and the server is 4.4.4.2. Please, how do I restrict access to this particular server only for Users on this VLAN while Users on other VLANs will not be able to access the Server. I have tried Access-list on the ASA. Seems not to work as other VLANs could still reach the server.

 

Expecting response.

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jesutofunmi O
Level 1
Level 1
In response to Jesutofunmi O

‎02-09-2018 10:28 AM

Thanks Mark,

You gave me a major clue.

 

So this is what I did eventually;

access-list 100 permit ip 1.1.1.1 0.0.0.255 host 4.4.4.2
access-list 100 deny ip any host 4.4.4.2
access-list 100 permit ip any any 

 

interface vlan 8

ip access-group 100 in

ip access-group 100 out

 

I have multiple vlans and I noticed that for some reason, some vlans could still access the server so what I did was to configure the access group under the vlan of the vlans that could still access the server and access was truncated. 

 

This configuration was done on the core switch.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎02-07-2018 07:28 AM

Hi
The access-list should be applied on the vlan interface inbound and out only permitting whats required , that will prevent anyone accessing the server , make sure the acl has reverse rules for each direction as its not stateless like firewalls , so something like below as an example

access-list 188 deny ip any host 4.4.4.2
access-list 188 deny ip host 4.4.4.2 any
access-list 188 permit ip any any

int vlan 8
ip access-group 188 in
ip access-group 188 out

0 Helpful

Go to solution
Jesutofunmi O
Level 1
Level 1
In response to Mark Malone

‎02-07-2018 07:48 AM - edited ‎02-07-2018 07:51 AM

Hey Mark,

Thanks for your response. I'm more confident. A CCIE holder!

1. Please, I do not see a "Permit" statement except the explicit permit statement on the last line (which i think its sort of an ACL rule). Is the first statement in the ACL supposed to be a permit statement please, seems to me like all is denied?

 

*access-list 188 deny ip any host 4.4.4.2*
access-list 188 deny ip host 4.4.4.2 any
access-list 188 permit ip any any

 

2. Please remember I said I want Users on vlan8 to be able to access this server. Just vlan 8. Plus, since my vlans are created on the core switch, will I call up vlan 8 on the ASA and then apply the ACL to the interface?

 

3. Does applying the above config to the vlan interface automatically allow that vlan to access the server?

 

Please clarify.

 

 

0 Helpful

Go to solution
Jesutofunmi O
Level 1
Level 1
In response to Jesutofunmi O

‎02-09-2018 10:28 AM

Thanks Mark,

You gave me a major clue.

 

So this is what I did eventually;

access-list 100 permit ip 1.1.1.1 0.0.0.255 host 4.4.4.2
access-list 100 deny ip any host 4.4.4.2
access-list 100 permit ip any any 

 

interface vlan 8

ip access-group 100 in

ip access-group 100 out

 

I have multiple vlans and I noticed that for some reason, some vlans could still access the server so what I did was to configure the access group under the vlan of the vlans that could still access the server and access was truncated. 

 

This configuration was done on the core switch.

0 Helpful
Top