Acl
hypnotoad
Banned Posts: 915
in CCNA & CCENT
Trying to set up a wireless hotspot where users can get on the internet but access nothing (or hardly nothing) on the local LAN.
ACL to be applied on WAP to cut a path to what the wireless PC can access.
PC = 10.10.49.35 /22
AP = 10.10.48.10 /22
Gateway = 10.10.48.1 /22
permit ip 10.10.48.10 255.255.255.255 (so it can talk to it's AP if needed)
permit ip 10.10.48.1 255.255.255.255 (so it can talk to it's Gateway if needed)
permit ip 10.10.0.215 255.255.255.255 (an internal server that is OK to access)
deny ip 10.10.0.0 0.0.255.255 (cut out the rest of the LAN)
permit ip any any (allow any other connections -- i.e. internet).
Any ideas on why this would allow too much? I.e. I can still ping 10.10.0.216, even though it's supposed to only allow 3 internal devices, the internet, and deny all other LAN.
TIA.
ACL to be applied on WAP to cut a path to what the wireless PC can access.
PC = 10.10.49.35 /22
AP = 10.10.48.10 /22
Gateway = 10.10.48.1 /22
permit ip 10.10.48.10 255.255.255.255 (so it can talk to it's AP if needed)
permit ip 10.10.48.1 255.255.255.255 (so it can talk to it's Gateway if needed)
permit ip 10.10.0.215 255.255.255.255 (an internal server that is OK to access)
deny ip 10.10.0.0 0.0.255.255 (cut out the rest of the LAN)
permit ip any any (allow any other connections -- i.e. internet).
Any ideas on why this would allow too much? I.e. I can still ping 10.10.0.216, even though it's supposed to only allow 3 internal devices, the internet, and deny all other LAN.
TIA.
Comments
-
blackninja
Member Posts: 385
Trying to set up a wireless hotspot where users can get on the internet but access nothing (or hardly nothing) on the local LAN.
ACL to be applied on WAP to cut a path to what the wireless PC can access.
PC = 10.10.49.35 /22
AP = 10.10.48.10 /22
Gateway = 10.10.48.1 /22
permit ip 10.10.48.10 255.255.255.255 (so it can talk to it's AP if needed)
permit ip 10.10.48.1 255.255.255.255 (so it can talk to it's Gateway if needed)
permit ip 10.10.0.215 255.255.255.255 (an internal server that is OK to access)
deny ip 10.10.0.0 0.0.255.255 (cut out the rest of the LAN)
permit ip any any (allow any other connections -- i.e. internet).
Any ideas on why this would allow too much? I.e. I can still ping 10.10.0.216, even though it's supposed to only allow 3 internal devices, the internet, and deny all other LAN.
TIA.
Am i right in saying that the 255.255.255.255. be replaced with 0.0.0.0 as a single host
As the all 255s are allowing any thing through?Currently studying:
CCIE R&S - using INE workbooks & videos
Currently reading:
Everything. Twice
-
hypnotoad
Banned Posts: 915
blackninja wrote: »Am i right in saying that the 255.255.255.255. be replaced with 0.0.0.0 as a single host
As the all 255s are allowing any thing through?
CRAP! Do i have it backwards? -
blackninja
Member Posts: 385
CRAP! Do i have it backwards?
Wilcard masks. They are inverted subnet masks.
If you convert the 255s into binary, the 1's equal a match and allow the traffic through.
So so you have put 10.10.48.10 255.255.255.255 the wildcard mask is all ones so ANY address gets in
10.10.48.10 0.0.0.0 = only host 10.10.48.10 gets in.Currently studying:
CCIE R&S - using INE workbooks & videos
Currently reading:
Everything. Twice -
Morty3
Member Posts: 139
You can type "host" instead of a specific wildcard mask. A 0 in the wildcard mask means Care for the corresponding bit in the IP address, a 1 means Dont care.CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff.