cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10817
Views
0
Helpful
10
Replies

Wireless ACL - Block internal access

Andy Emerine
Level 1
Level 1

I need to block all access from the guest wireless to our internal network. 

The following is the ACL I've come up with so far for the guest SSID. I thought seq 1 and 2 would work - 1 allow clients to communicate with DHCP and 2 block access to all internal IP addresses. I had to add seq 3 for clients to access the internet as a workaround for now. Unfortunately because of seq 3 clients can also access everything else on our internal network.. I believe the descriptions are correct. Not 100% sure. It's what I want them to do anyway. 

  • Our DHCP Windows server hands our guest wireless clients an IP address and sets their DNS to the DNS of our ISP not our internal DNS server. 

  • The guest VLAN DHCP range is 10.55.12.50-10.55.13.254. 
  • Our internal network is any IP in the 10.55 range. 
  • Our controller is a Cisco 4402. 

How do I accomplish this? 

ACL: GuestWiFi           
SeqActionSource IP/MaskDestination IP/MaskProtocolSource PortDest PortDSCPDirectionNoHDesc
1Permit10.55.12.0 / 255.255.255.25510.55.1.1 / 255.255.255.255UDPDHCP ClientDHCP ServerAnyInbound0DHCP Server. Allow clients to respond to DHCP requests.
2Deny10.55.12.0 / 255.255.255.010.55.0.0 / 255.255.0.00AnyAnyAnyAny0Block access to internal network - all 10.55 addresses
3Permit0.0.0.0 / 0.0.0.00.0.0.0 / 0.0.0.0AnyAnyAnyAnyAny0 
10 Replies 10

SATISH KATTIKA
Level 1
Level 1

Thoroughly Check wild card mask which u r using on 1st and 2nd sequence which may be creating problem.

 

But  the concept is right.. :)

Seq 1: The guest VLAN DHCP range is 10.55.12.50-10.55.13.254. 

Seq 2: Our internal network is any IP in the 10.55 range.

Knowing these two things does it look like I would have any problems with the wildcard mask? I'm not very confident in answering this. Hoping someone can help. 

Hi Andy,

 

There are some things I would recommend, the first is to keep in mind that when the clients in guest vlan boot up, they boot without any ip addresses, so if you apply an access list based on the assumed guest vlan ip addresses that will be assigned from the dhcp server it will not work and your guest vlan clients would never be able to get any ip address from the dhcp server. The second thing, is in order to allow guest vlan to access the internet, you don't have necessarily to allow that traffic towards your internal network, it would be enough to allow it towards the gateway router. Last thing, is that you don't need to apply any deny statement at the end of the access list since there is an implicit deny by default.

Here how your access list should look like:

access-list 100 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootp
access-list 100 permit ip 10.55.12.0 0.0.1.255 host 10.55.0.1 (assuming this is the gateway ip address)
 

Regards,

Aref

Hey Aref, 

Thank you for your suggestion. Yes. The gateway is 10.55.0.1. I'd hate to make you spell it out, but it would be easiest for me to get this up and running if you could right the access list out somewhat similar to the table above.  

Thank you

I believe I have the issue resolved. I cannot find any issues with the solution yet. If anyone sees any issues with this setup let me know. The problem was solved through an ACL on the wireless controller. 

Problem description: Want to deny access to internal network from guest network.
Resolution summary:
>> Configured ACL for denying access to all internal network.
>> Applied one rule for permitting access to any network.
>> Cannot ping internal network as per our requirement.
>> But Able to go on the internet.
>> Everything is working as expected.

Hi Andy,

Do you mind sharing the Access list you configured on the WLC? I am looking to do the same on my Guest WLAN

Not a problem. The order is very important. 

First allow access to all of your network. This ends up being last in the sequence. Then start denying access. For our network I permitted to all and then added vlans to deny. At the very beginning of the sequence is where I allowed access to specific devices/services on vlans that are blocked. Here is an example. There could be a better way of doing this. If there is please chime in.

ACL: GuestWiFi           
SeqActionSource IP/MaskDestination IP/MaskProtocolSource PortDest PortDSCPDirectionNoHDesc
1Permit0.0.0.0 / 0.0.0.010.55.1.117 / 255.255.255.255UDPDHCP ClientDHCP ServerAnyInbound0Allow printer
2Deny10.55.12.0 / 255.255.252.010.55.8.0 / 255.255.252.0AnyAnyAnyAnyAny0Internal Wireless Vlan
3Deny10.55.12.0 / 255.255.252.010.55.5.0 / 255.255.252.0AnyAnyAnyAnyAny0Management Vlan
4Permit0.0.0.0 / 0.0.0.00.0.0.0 / 0.0.0.0AnyAnyAnyAnyAny0Everything

Thanks will give it a try!

Dear Sir 

i have two wify vlan102 emp wify ssid  one is started ip range is 10.15.85.1 to 10.15.85.128 and second is vlan 103 guest ssid which ip address range is 10.15.85.128-10.15.85.254 and subnet mask is same 255.255.255.128 and one is my intranet server witch ip address 10.15.64.142 i want to block vlan 103 block in access web servers 10.15.64.142 ip please help me iam try many time but all network access block ,,,

regard 

Gopal Bhatt

Hi,

 

I am facing a similar issue where I have guest users accessing the internal services.

I need to write ACLs on the anchor WLC to deny their access. Would you be able to help.

 

My internal server range is 10.0.0.0/8, 168.252.0\16.

 

I have a internal DHCP server on the anchor WLC itself and they are on the subnet 10.252.36.0\22. And I need access from the internal users 10.0.0.0\8 to access the WLC ip for creating a lobby admin.

Review Cisco Networking for a $25 gift card