ACL just for internet, and nothing else
Futura
Member Posts: 191
in CCNA & CCENT
So I want to make a vlan just for guest users to access the internet that goes out through a shared gateway. I dont want these users to be able to access anything on the LAN,
I was thinking
something like
permit tcp any any eq 80
but if I have any web servers on my network then the guests will be able to access them!.
Any thoughts how I can just allow internet access but strictly nothing else?
Thank you:):)
I was thinking
something like
permit tcp any any eq 80
but if I have any web servers on my network then the guests will be able to access them!.
Any thoughts how I can just allow internet access but strictly nothing else?
Thank you:):)
Comments
-
networker050184
Mod Posts: 11,962 Mod
You can just deny access to any internal subnets. For example you use 192.168/16 on your internal network then you just deny access to that and permit anything else. You will need to punch holes if there are some internal stuff they need to access.An expert is a man who has made all the mistakes which can be made. -
Futura
Member Posts: 191
superb, So I could
deny tcp any 172.16.0.0 0.0.255.255 eq www
deny tcp any 172.16.0.0 0.0.255.255 eq www
permit tcp any any eq www
thanks:) -
networker050184
Mod Posts: 11,962 Mod
I wouldn't even worry about the eq www part personally. Then you will get bugged often to let stuff like https, ftp, vpn protocols etc through. Just make sure they have no IP connectivity to your stuff and let the rest go.An expert is a man who has made all the mistakes which can be made.
-
NetworkVeteran
Member Posts: 2,338 ■■■■■■■■□□
A few ideas--
You could block all traffic (on the ingress) destined for your external LAN IPs
You could block all traffic (on the egress) sourced from the guest LAN IPs
Use PBR to forward all packets from the guest LAN towards the Internet -
drkat
Banned Posts: 703
so on the guest vlan you apply an acl denying traffic to your internal subnets and permit everything else -
MickQ
Member Posts: 628 ■■■■□□□□□□
You might want to deny ip rather than just tcp traffic. I'm sure you don't want UDP being able to get past
-
Michael2
Member Posts: 305 ■■■□□□□□□□
Why not just create an ACL that would block all inbound traffic and place it on the gateways to your internal LAN with the guest terminals on the other side? Why create a VLAN?
-
drkat
Banned Posts: 703
Michael, given that theory how would you define the difference between guest and employee?
-
Michael2
Member Posts: 305 ■■■□□□□□□□
Oh, so I need a VLAN to differentiate between guests and employees. I thought you could just implement a User Access Control policy, but I guess I need to go out and get network switches and set up a whole VLAN to keep guest users from accessing the internal network.
-
drkat
Banned Posts: 703
You dont NEED to do anything. Every network is a unique snowflake. You will want to look at your network and determine how the guests are going to be accessing the network and then determine the best access control for the job. Given the OP's original post utilizing a vlan method - maybe they dont have any type of authentication policy in place or maybe they have guest pods that only guests can use?? the possibilities are endless.
However I sense your response as much sarcastic as it is arrogant. Only the OP and in this case YOU would know how your network is configured and best practice for that scenario.
From this scenario he is using a SHARED gateway so both networks will have equal access to it. So sure.. he can write an ACL that is egress on his internal subnet interface to not allow access from the guest subnet.. this would be his best option. It really depends how he is setup and since we dont have any configuration it's all hear-say at this point.
