Jon, Thanks so much for the reply! I'll have to look into relfexive acls and see if that's what I'm looking for. Under my vlan100-protected-inbound acl I have ' permit tcp any any established' which I believe accomplishes any initiated sessions from the that lan. My main concern is the wan acl. I dont really like having 'permit any any' on the wan, but felt that is what I had to do to have a vlan that wouldn't be restricted by any acl statements for his gaming needs. Granted, I need to see an example of what game and what he claims is being affected by the current acl that I currently have on the wan, which right now is esentially what I have on vlan 100. I was looking for a solution in which he could plug into a port that is a member of 101, and wouldn't possibly have an issue with his games by an acl. Thanks so much again for your time!
... View more
Greetings, I have a scenario in which a user has a gaming console and tends to open a lot of ports or ends up disabling the firewall entirely to play online. I looked into DMZ solutions but I don't see a howto that really fits my needs (dhcp addressed wan with one ip, internal dmz ip space, and nat). Perhaps Im not googling the correct key words. I made new acls to see if I can essentailly create an unprotected network and a protected one. It doesnt seem best practice though and Im afraid to go with it without consulting those who are more Cisco savvy. Any insight or direction would be greatly appreciated! Here are the ACLs I created to see if I can create an unprotected network that would not be affected by a WAN acl WAN: DHCP vlan100 (protected): 172.16.107.224/27 vlan101 (unprotected): 172.16.106.192/27 ! ip access-list extended wan-inbound remark deny management services deny tcp any any eq 22 deny tcp any any eq 23 deny tcp any any eq 80 deny tcp any any eq 443 deny udp any any eq snmp remark deny spoofing-and-invalids deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any remark allow everything else permit ip any any ! ip access-list extended vlan100-protected-inbound remark define wan-inbound and other-lan-networks-inbound rules remark permit anything initiated from the lan permit tcp any any established remark permit DNS requests permit udp any eq domain any remark deny spoofing-mylan deny ip 172.16.107.0 0.0.0.255 any remark allow isp-dhcp-requests permit udp any eq bootps any eq bootpc remark allow icmp permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable deny ip 172.16.107.224 0.0.0.31 any deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip any any log ! ip access-list extended vlan101-unprotected-inbound remark define wan-inbound and other-lan-networks-inbound rules remark this is for devices like wireless router and gaming console deny ip 172.16.107.192 0.0.0.31 any deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any ! ip access-list extended nat-overload-acl remark nat these networks permit ip 172.16.107.0 0.0.0.255 any ! interface Vlan100 description internal-network ip access-group vlan100-internal-inbound in exit interface Vlan101 description unprotected-network ip access-group vlan101-unprotected-inbound in exit interface FastEthernet0 description INET ip access-group wan-inbound in exit !
... View more