Cisco Wireless: How to configure a named access list to deny traffic from a Visitor Vlan to Internal Resources

Networking 1 Minute

This is what I am trying to achieve. I would like the Guest Vlan to get access only to the internet. Everything else is banned.

Here is what i have so far:

interface FastEthernet0/0
description To_Internet
ip address 1.1.1.1 255.255.255.252
ip access-group 102 in
ip nat outside
ip inspect RED out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map CM

interface FastEthernet0/1.11
description To_Internal_Voice
encapsulation dot1Q 37
ip address 10.1.222.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.40
description Guest_Pool
encapsulation dot1Q 40
ip address 10.1.1.254 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface FastEthernet0/1.128
description To_Internal_Management
encapsulation dot1Q 38
ip address 10.1.255.254 255.255.255.240
!
interface FastEthernet0/1.131
description To_Internal_Data
encapsulation dot1Q 39
ip address 10.1.0.254 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip inspect DATA-EXT in
ip virtual-reassembly in
no cdp enable

! Create an access list named DenyVisitor and specify what we want to deny.

G00-2811-01(config)#ip access-list extended DenyVisitor

! Deny access to voice vlan

G00-2811-01(config-ext-nacl)#deny ip any 10.1.222.0 0.0.0.255

! Deny access to internal data vlan

G00-2811-01(config-ext-nacl)#deny ip any 10.1.0.0 0.0.0.255

! Deny access to Management Vlan

G00-2811-01(config-ext-nacl)#deny ip any 10.1.255.140 0.0.0.15

! Do not forget to permit the rest of the traffic

G00-2811-01(config-ext-nacl)#permit ip any any

The configuration so far:

ip access-list extended DenyVisitor
deny ip any 10.1.222.0 0.0.0.255
deny ip any 10.1.0.0 0.0.0.255
deny ip any 10.1.255.128 0.0.0.15
permit ip any any

! Nof for the fun part, apply the accesslist to the subinterface for The guest vlan. So now we will have the guest clan not accessing the three subnets that we have specified. The vlan can however access the Internet because we have a permit statement at the end of the access list.

G00-2811-01(config-subif)#int FastEthernet0/1.40

G00-2811-01(config-subif)#ip access-group DenyVisitor in

! Confirm that it is working

G00-2811-01#sh access-lists DenyVisitor
Extended IP access list DenyVisitor
10 deny ip any 10.1.222.0 0.0.0.255 (1151 matches)
20 deny ip any 10.1.0.0 0.0.0.255 (259 matches)
30 deny ip any 10.1.255.128 0.0.0.15
40 permit ip any any (5327 matches)

Published by CyberSecFaith

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s