Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
0
Helpful
14
Replies

Cisco AP 2802i and ACLs

AMDKKWT
Level 1
Level 1

‎04-22-2019 04:38 AM - edited ‎07-05-2021 10:16 AM

Hello Guys,

 

I have a a Cisco AP 2802i with Mobility Express who act as a controller and 10 other Cisco AP 2802i ligthweitght connected. I've managed to configure them and it works perfectly. Here is my question, I've created a second WLAN for my guest and I want them to only have access to the web (http and https), here are my ACLs :

 

  
                        Source                         Destination               Source Port  Dest Port
Index  Dir       IP Address/Netmask               IP Address/Netmask       Prot    Range        Range   DSCP  Action      Counter


------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------


     1 Out       172.0.0.0/255.255.0.0             0.0.0.0/0.0.0.0          Any    80-80       80-80     Any Permit           0


     2  In         0.0.0.0/0.0.0.0               172.0.0.0/255.255.0.0      Any    80-80       80-80     Any Permit           0


     3 Out       172.0.0.0/255.255.0.0             0.0.0.0/0.0.0.0          Any   443-443     443-443    Any Permit           0


     4  In         0.0.0.0/0.0.0.0               172.0.0.0/255.255.0.0      Any   443-443     443-443    Any Permit           0
    
     5  Out       172.0.0.0/255.255.0.0            0.0.0.0/0.0.0.0          Any    0-6665      0-65535    Any Deny

     6  In         0.0.0.0/0.0.0.0               172.0.0.0/255.255.0.0      Any    0-6665      0-65535    Any Deny

 When I apply them to my second WLAN, it does nothing, users still can access to my entire network, can you help me ?

 

PS : In my web interface, there's no option to configure ACL so I went through CLI.

Labels:
0 Helpful
14 Replies 14

felipecostacorreia@hotmail.com
Level 1
Level 1

‎04-22-2019 06:15 AM

Hello AMDKKW, 

I have the same AP and my version on ME is 8.5.140.0.

In my case if i need to configure ACL I follow the steps:

Step 1 Tele1.png

 

Step 2

tela2.png

 

Step 3

tela3.png

Preview file
79 KB
0 Helpful

AMDKKWT
Level 1
Level 1
In response to felipecostacorreia@hotmail.com

‎04-23-2019 03:18 PM

Dear Felipe,

 

Thank you for your answer, I've created a rule and I applied it but it does nothing. The rule below should deny everything no ? It's just a test.

 

Capture d’écran 2019-04-23 à 18.20.12.png

 

0 Helpful

AMDKKWT
Level 1
Level 1
In response to AMDKKWT

‎04-25-2019 06:49 AM - edited ‎04-25-2019 06:49 AM

Can someone help me please ?

0 Helpful

Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to AMDKKWT

‎04-29-2019 03:32 AM

If you check the client details, You can see whether the ACL is getting applied or not.

 

Just check that once. If possible paste the client logs.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful

AMDKKWT
Level 1
Level 1
In response to Sathiyanarayanan Ravindran

‎04-29-2019 06:09 AM

Dear Sathiyanarayanan Ravindran,

 

It is applied, as you can see in the screenshot :

 

Capture Acl Test.PNG

 

Thanks a lot.

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to AMDKKWT

‎04-29-2019 07:34 AM

DOH, try mask 255.255.255.255. It's not subnet mask, but ACL mask. That one works the other way around.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
0 Helpful

AMDKKWT
Level 1
Level 1
In response to patoberli

‎04-29-2019 08:12 AM

Dear Patoberli,

 

Even with 255.255.255.255 mask and the acl applied, I can still access to network.

 

Thanks.

 

 

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to AMDKKWT

‎04-29-2019 08:46 AM

Please post another screenshot with the new ACL.
0 Helpful

AMDKKWT
Level 1
Level 1
In response to patoberli

‎04-29-2019 08:55 AM

Here the new screenshot :

 

CaptureACL2.PNG

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to AMDKKWT

‎04-29-2019 09:28 AM - edited ‎05-01-2019 06:42 AM

You didn't adjust the destination address!

It should state 0.0.0.0 255.255.255.255 instead of 0.0.0.0 0.0.0.0.

0 Helpful

AMDKKWT
Level 1
Level 1
In response to patoberli

‎05-02-2019 03:47 AM

Dear Patoberli,

 

I can't adjust the destination address, as you can see below :

 

Captureacl3.PNG

 

Sorry for being such a newbie and thanks a lot for you help, I appreciate !

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to AMDKKWT

‎05-02-2019 04:19 AM

I re-read once again the manual (it's for WLC, but should work the same for ME):

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81733-contr-acls-rle.html



Your first rules should have worked, based on that information.

What authentication type do you use on that SSID? If it's radius, do you have enabled the function AAA Override?

Which version of software is running on the AP?




0 Helpful

AMDKKWT
Level 1
Level 1
In response to patoberli

‎05-02-2019 05:18 AM

Dear Patoberli,

 

WPA2 Personal authentification type, no radius and 8.5.131.0 version !

 

Thanks.

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to AMDKKWT

‎05-02-2019 05:28 AM

In that case please upgrade to 8.5.140.0, as it fixes some critical security and flash corruption issues.



It also fixes: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj80388

And: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi85464

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm10716



Not sure if any of those really affects this, but it's better if those bugs are fixed.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card