12-17-2018 02:05 AM - edited 03-08-2019 04:49 PM
i have guest vlan 50 192.168.50.0/24
servers in subnet 172.20.1.0/24
and i want to allow quest vlan to access from this range of servers (172.20.1.0/24) only
1-dhcp server (172.20.1.100,172.20.1.101)
2-dns, (172.20.1.115,172.20.1.116)
3- other 4 servers using ports 443/80
then deny access to the rest of the servers in range 172.20.1.0/24
The rest should just be open, so would ASA be able to control access to DMZ, etc. :
then permit access to internet or permit any any
so please your help , how should i do that without making any errors ?
12-17-2018 02:20 AM
Hi there,
Try the following:
!
ip access-list ext ACL_001
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq 67
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq 67
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq 53
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq 53
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq 53
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq 53
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.xxx eq 80
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.xxx eq 443
deny ip 192.168.50.0 0.0.0.255 172.120.1.0 0.0.0.255
permit ip any any
!
Repeat the following lines, adjusting the xxx's:
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.xxx eq 80
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.xxx eq 443
...for each of the 4 server IP you did not specify.
Apply this ACL INBOUND on your directly connected interface.
cheers,
Seb.
12-17-2018 02:34 AM
Hi
you mean interface or apply on vlan 50 ?
12-17-2018 03:05 AM
Apply it to the SVI, so you have:
!int vlan 50 ip access-group ACL_001 in!
cheers,
Seb.
12-17-2018 03:08 AM
Ok thanks
Last question why did you permit UDP then TCP why we need them permit for each server ???
12-17-2018 03:38 AM
DNS can use TCP/53 and UDP/53 so I included both in the ACL. If you know that your sever is configured to accept connections via one protocol only, edit the ACL as required.
cheers,
Seb.
12-17-2018 04:17 AM - edited 12-17-2018 04:18 AM
Hi again
i have applied the acl as you mentioned but i've accessed from other servers that we denied and i still can ping to guest subnet
it should be only from dhcp , dns ,..
12-17-2018 05:03 AM
The ACL in its current configuration will work in the direction from the guest subnet to the four servers that you specified.
I am a little confused from your last statement. Are you saying you can access other servers in the server VLAN from the guest subnet?
As for the ping to guest subnet statement, where are you pinging from?
Cheers,
Seb.
12-17-2018 07:25 AM
Sorry, yes you a re right
I've checked from
Sh ip access list
And I found number of hits besides deny access list
And I think it means , it's working right now
12-17-2018 01:11 PM
I have tried from DHCP and DNS servers
And other servers that we denied
And I can ping that was what I meant from previous post
12-18-2018 03:03 AM
OK you are saying that for example from your DHCP server you can ping a host in the guest the VLAN:
172.20.1.100 -> 192.168.50.1 OK
...but you cannot ping successfully in the reverse direction?
192.168.50.1 -> 172.20.1.100 NOT OK
cheers,
Seb.
12-18-2018 03:33 AM
I didn't try from guest, only from servers that we allowed and denied
12-17-2018 02:21 AM
Hello,
what do you mean with:
--> 3- other 4 servers using ports 443/80
Either way, try the below access list:
ip access-list extended SERVERS_RESTRICT
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq bootpc
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq bootpc
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq domain
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq domain
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq www
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq www
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq www
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq www
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq 443
deny ip 192.168.50.0 0.0.0.255 172.20.1.0 0.0.0.255
permit ip any any
12-17-2018 02:31 AM
hi
I mean i want to allow other 4 servers also and deny the rest
then how to apply this extended acl on vlan 50 (in or out )?
please correct me if i'm wrong
Extended IP access list Guest-Allowed
10 permit tcp any host172.20.1.140 eq www
20 permit tcp any host172.20.1.140 eq 443
30 permit tcp any host172.20.1.125 eq www
40 permit tcp any host172.20.1.125 eq 443
50 permit tcp any host172.20.1.118 eq www
60 permit tcp any host172.20.1.118 eq 443
70 permit tcp any host172.20.1.180 eq 443
80 permit tcp any host172.20.1.181 eq 443
90 permit udp any host172.20.1.46 eq domain
100 permit udp any host172.20.1.47 eq domain
110 permit udp any host172.20.1.109 eq bootpc
120 permit udp any host172.20.1.109 eq bootps
130 permit udp any host172.20.1.110 eq bootpc
140 permit udp any host172.20.1.110 eq bootps
150 permit icmp any any echo
160 permit icmp any any echo-reply
170 permit icmp any any port-unreachable
180 deny ip any 172.20.1.0 0.0.0.255
190 permit ip any any
inter vlan 50
description WirelessGuest
ip address 172.29.64.1 255.255.255.0
ip helper-address 172.20.1.120
ip helper-address 172.20.1.121
ip access-group Guest-Allowed in
12-18-2018 03:26 AM - edited 12-18-2018 03:30 AM
Hello
Just to confirm you would like any host from the guest vlan to access these 4 servers below on those specific ports and then deny all other access to these servers from the guest vlan
172.20.1.100 - 172.20.1.101 allow port access for dhcp, http, https
172.20.1.115 - 172.20.1.116 allow port access for dns, http, https
Do you wish for the servers to be able to initiate any connection towards the guest vlan?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide