Cisco Extended Access List help?

I am setting up security for my WLAN and just wondered if anyone could help me on the access lists part. The setup is a Cisco Router (2651XM) connected up to a Cisco Switch (2950), basically a router on a stick type setup. There are three vlans which require different access levels. VLAN1 will be basic web surfing only (permit http, port 80 I think), VLAN2 will be basic web surfing also, but also VPN will be allowed and VLAN3 will allow basic web surfing, VPN and access to the internal LAN. The router acts as the DHCP server and each VLAN is allocated its own subnet range. VLAN1 = 192.168.11.0/24, VLAN2 = 192.168.12.0/24 and VLAN3 = 192.168.13.0/24. My ororiginallan was to deny everything and just permit what was required. I managed to stop the VLAN's from communicating with each other, but I cannot stop users on the same VLAN from communicating each other. I have also encountered problems of the access lists blocking the DHCP from getting through to the users. If anyone could help me with this I would really apappreciatet.

1 Answer

Relevance
  • Anonymous
    8 years ago
    Favorite Answer

    interface fa0/0.1

    ip access-group VLAN1ACL in

    ip access-list extended VLAN1ACL

    permit udp 192.168.11.0 0.0.0.255 any eq 67

    permit udp 192.168.11.0 0.0.0.255 any eq 68

    deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

    permit tcp 192.168.11.0 0.0.0.255 gt 1023 any eq http

    permit tcp 192.168.11.0 0.0.0.255 gt 1023 any eq https

    deny ip any any

    interface fa0/0.2

    ip access-group VLAN2ACL in

    ip access-list extended VLAN2ACL

    permit udp 192.168.11.0 0.0.0.255 any eq 67

    permit udp 192.168.11.0 0.0.0.255 any eq 68

    deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

    permit tcp 192.168.12.0 0.0.0.255 gt 1023 any eq http

    permit tcp 192.168.12.0 0.0.0.255 gt 1023 any eq https

    deny ip any any

    interface fa0/0.3

    ip access-group VLAN3ACL

    ip access-list extended VLAN3ACL

    permit udp 192.168.11.0 0.0.0.255 any eq 67

    permit udp 192.168.11.0 0.0.0.255 any eq 68

    permit tcp 192.168.12.0 0.0.0.255 gt 1023 any eq http

    permit tcp 192.168.12.0 0.0.0.255 gt 1023 any eq https

    deny ip any any

    As for the VPN traffic that is based on what you yourself want to classify as interesting and non-interesting traffic. I cannot help you with that as you did not state what you want going through your VPN.

    First the udp 67 / 68 is permitted above all else as this is the DHCP traffic which your 'deny ip any any' would have blocked otherwise. Note that I have disallowed VLAN 10 and VLAN 11 from talking to one another however from a router you shouldn't block devices from talking to one another on the same VLAN. If you did want to do block them from communicating it would have to be done on the switch with very advanced MAC address access-lists. Next I permitted http (port 80) and https (port 443) from accessing any network not already matched by the access list. You'd be surprised how many websites actually use https so I'd advise allowing that too unless you have a Network Intrusion Detection System (NIPS) deployed in which I'd also expect you to have Host Intrusion Protection System (HIPS) so it's best to keep it in. Finally I made sure to only allow source ports of which are greater than 1023 as just an extra security feature just in case and went with the best practice of putting it as close to the source as possible by keeping it on the interfaces closest to the switch

Still have questions? Get your answers by asking now.