12-17-2018 02:05 AM - edited 03-08-2019 04:49 PM
i have guest vlan 50 192.168.50.0/24
servers in subnet 172.20.1.0/24
and i want to allow quest vlan to access from this range of servers (172.20.1.0/24) only
1-dhcp server (172.20.1.100,172.20.1.101)
2-dns, (172.20.1.115,172.20.1.116)
3- other 4 servers using ports 443/80
then deny access to the rest of the servers in range 172.20.1.0/24
The rest should just be open, so would ASA be able to control access to DMZ, etc. :
then permit access to internet or permit any any
so please your help , how should i do that without making any errors ?
12-18-2018 03:37 AM
For DHCP and DNS I only allowed bootpc and domain
My goal is to prevent any Guest IP from accessing all servers except 4 servers
If I want to deny access from servers to the guest I should do
Deny ip 172.20.1.0 0.0.0.255 193.168.50.0 0.0.0.255
12-18-2018 03:42 AM
Yes, adding that deny statement after your specific permit statements (for DHCP, DNS, etc) will give you that result.
Cheers,
Seb.
12-18-2018 04:30 AM
Last question
Regarding to DHCP:-
What's the difference between below commands , which one would be better for use
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq bootpc
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq bootpc
And
permit udp any any eq bootps
12-18-2018 04:56 AM - edited 12-18-2018 04:59 AM
Hello
@Roza12 wrote:
For DHCP and DNS I only allowed bootpc and domain
My goal is to prevent any Guest IP from accessing all servers except 4 servers
The you should filter the access from the server vlan NOT the guest vlan
example:
ip access-list extended guestvlan_access
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.100 range www 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 range domain bootpc bootps
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.101 range www 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 range domain bootpc bootps
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.115 range www 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq domain
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.116 range www 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq domain
deny ip 192.160.50.0 0.0.0.255 any
permit ip any any
int vlan xx
description Server vlan
ip access-group guestvlan_access OUT
12-18-2018 09:34 AM
Why out ???
From guest going to server so it should be in am I right???
12-18-2018 10:21 AM
Hello
@Roza12 wrote:
Why out ???
SVI acl logic
IN= originating from within vlan going out
OUT = originating from outside the vlan coming in
12-18-2018 10:24 AM
Nicely summarized. Thanks for this.
12-19-2018 05:18 AM
Paul, with all respect it is best practice to filter traffic as close to the source as possible, hence suggesting an inbound ACL on the guest_vlan SVI.
Cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide