rbjohnson78
Technical User
Long story short. My boss wanted me to take some routes out of the switch to free up some public IP addresses. It's been a while since I've worked on a Cisco switch, but now I'm not sure how to make our ACL's work again. the config is below...
Also, just a quick rundown on how it is setup. We are using the ISP as the gateway, which we will say is 16.66.77.161, and this is off of port 23. Off of port 24 is our firewall, which it's IP is 16.66.77.166, and our internal (private) IP range is 192.18.0.0. Let me know if you need anymore info than this, but this is the just of it.
3750X-24T#show run
Building configuration...
Current configuration : 9095 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname 3750X-24T
!
boot-start-marker
boot-end-marker
!
enable secret 5 ----------------------
!
username ---- secret 5 ---------------
!
!
aaa new-model
!
!
aaa authentication login default local
--More-- !
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c3750x-24
system mtu routing 1500
authentication mac-move permit
!
!
no ip domain-lookup
ip domain-name software.com
vtp mode transparent
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
--More-- !
!
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
vlan 5
name DMZ
!
ip ssh time-out 30
ip ssh authentication-retries 5
ip ssh version 2
!
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet1/0/1
description DMZ
switchport access vlan 5
--More-- switchport mode access
!
interface GigabitEthernet1/0/2
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/3
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/4
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/5
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/6
--More-- description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/7
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/8
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/9
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/10
description DMZ
switchport access vlan 5
switchport mode access
--More-- !
interface GigabitEthernet1/0/11
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/12
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/13
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/14
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/15
description DMZ
--More-- switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/16
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/17
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/18
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/19
description DMZ
switchport access vlan 5
switchport mode access
!
--More-- interface GigabitEthernet1/0/20
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/23
description INTERNET
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/24
description WATCHGUARD FIREWALL PORT 0
switchport access vlan 5
switchport mode access
!
--More-- interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
description DO NOT USE
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
shutdown
!
interface Vlan5
description DMZ
--More-- ip address 16.66.77.177 255.255.255.224
ip access-group DMZ-IN in
ip access-group DMZ-OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
!
ip default-gateway 16.66.77.161
ip classless
ip route 0.0.0.0 0.0.0.0 16.66.77.161
no ip http server
no ip http secure-server
!
ip access-list extended DMZ-IN
remark ACL RULES ON TRAFFIC FROM DMZ SERVERS
remark ALLOW ALL OUTBOUND TRAFFIC FROM DMZ SERVERS
permit ip any any
ip access-list extended DMZ-OUT
remark PERMIT ICMP TRAFFIC
permit icmp any 16.66.77.176 0.0.0.15
remark ACL RULES ON TRAFFIC TO DMZ SERVERS
remark ALLOW ESTABLISHED TCP TRAFFIC
--More-- permit tcp any 16.66.77.176 0.0.0.15 established
permit udp any host 16.66.77.178 gt 1024
permit tcp any any eq 1433
permit udp any any eq 1434
permit esp any any
permit udp any any eq isakmp
permit gre any any
permit tcp any host 16.66.77.178 gt 1024
permit tcp host 16.66.77.166 host 16.66.77.179 eq www
permit tcp 8.178.59.240 0.0.0.3 host 16.66.77.179 eq www
permit tcp 73.160.120.16 0.0.0.3 host 16.66.77.179 eq www
permit tcp any host 16.66.77.179 gt 1024
permit udp any host 16.66.77.179 gt 1024
permit tcp 73.160.120.16 0.0.0.3 host 16.66.77.180 eq www
permit tcp host 16.66.77.166 host 16.66.77.180 eq www
permit tcp 8.178.59.240 0.0.0.3 host 16.66.77.180 eq www
permit tcp any host 16.66.77.185 eq 1755
permit udp any host 16.66.77.185 eq 1755
permit udp any host 16.66.77.185 eq 5005
permit tcp any host 16.66.77.185 eq 5005
permit udp any host 16.66.77.182 eq 1719
permit tcp any host 16.66.77.182 eq 1720
permit tcp any host 16.66.77.182 gt 49151
--More-- permit udp any host 16.66.77.182 gt 49151
permit tcp any host 16.66.77.183 gt 49151
permit udp any host 16.66.77.183 gt 49151
permit tcp any host 16.66.77.184 eq telnet
permit udp any host 16.66.77.179 eq 1719
permit udp any host 16.66.77.179 eq snmp
permit tcp any host 16.66.77.179 eq 1720
permit tcp any host 16.66.77.179 eq 5060
permit tcp any host 16.66.77.179 eq 1755
permit tcp any host 16.66.77.179 eq 554
permit tcp any host 16.66.77.179 eq ftp
permit udp any host 16.66.77.179 eq 5060
permit tcp host 16.66.77.166 host 16.66.77.184 eq 443
permit tcp host 73.160.120.17 host 16.66.77.184 eq 443
permit tcp host 73.160.120.17 host 16.66.77.184 eq www
permit tcp host 16.66.77.166 host 16.66.77.184 eq www
permit tcp host 73.160.120.17 host 16.66.77.184 eq 554
permit tcp any host 16.66.77.184 range 10000 10200
permit udp any host 16.66.77.184 range 15000 16000
permit tcp host 16.66.77.166 host 16.66.77.186 eq 22
permit tcp host 73.160.120.17 host 16.66.77.186 eq 22
permit tcp any host 16.66.77.186 eq 1720
permit udp any host 16.66.77.186 eq 1719
--More-- permit udp any host 16.66.77.186 range 50000 60000
permit tcp any host 16.66.77.186 range 30000 60000
permit tcp any host 16.66.77.186 eq 1935
permit tcp host 16.66.77.166 host 16.66.77.186 eq 9000
permit tcp host 73.160.120.17 host 16.66.77.186 eq 9000
permit udp any host 16.66.77.186 eq 11935
permit tcp any host 16.66.77.186 eq 5060
permit udp any host 16.66.77.186 eq 5060
permit tcp any host 16.66.77.186 eq domain
permit udp any host 16.66.77.186 eq domain
permit tcp host 16.66.77.166 host 16.66.77.185 eq www
permit tcp host 16.66.77.166 host 16.66.77.185 eq 443
permit tcp host 73.160.120.17 host 16.66.77.185 eq www
permit tcp host 73.160.120.17 host 16.66.77.185 eq 443
permit tcp host 8.8.8.8 host 16.66.77.186 gt 1023
permit udp host 8.8.8.8 host 16.66.77.186 gt 1023
deny ip any any log
ip access-list extended dmz-out
!
ip sla enable reaction-alerts
access-list 1 permit 16.66.77.166
access-list 1 permit 192.18.0.0 0.0.255.255
access-list 2 permit 16.66.77.166
--More-- access-list 2 permit 192.18.0.0 0.0.255.255
access-list 3 permit 16.66.77.166
access-list 3 permit 192.18.0.0 0.0.255.255
snmp-server community wadz15kG RO 2
snmp-server community WkI4k9Nc RW 3
!
!
line con 0
exec-timeout 30 0
logging synchronous
line vty 0 4
access-class 1 in
exec-timeout 30 0
logging synchronous
transport input ssh
line vty 5 15
access-class 1 in
exec-timeout 30 0
logging synchronous
transport input ssh
!
end
3750X-24T#
Also, just a quick rundown on how it is setup. We are using the ISP as the gateway, which we will say is 16.66.77.161, and this is off of port 23. Off of port 24 is our firewall, which it's IP is 16.66.77.166, and our internal (private) IP range is 192.18.0.0. Let me know if you need anymore info than this, but this is the just of it.
3750X-24T#show run
Building configuration...
Current configuration : 9095 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname 3750X-24T
!
boot-start-marker
boot-end-marker
!
enable secret 5 ----------------------
!
username ---- secret 5 ---------------
!
!
aaa new-model
!
!
aaa authentication login default local
--More-- !
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c3750x-24
system mtu routing 1500
authentication mac-move permit
!
!
no ip domain-lookup
ip domain-name software.com
vtp mode transparent
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
--More-- !
!
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
vlan 5
name DMZ
!
ip ssh time-out 30
ip ssh authentication-retries 5
ip ssh version 2
!
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet1/0/1
description DMZ
switchport access vlan 5
--More-- switchport mode access
!
interface GigabitEthernet1/0/2
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/3
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/4
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/5
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/6
--More-- description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/7
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/8
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/9
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/10
description DMZ
switchport access vlan 5
switchport mode access
--More-- !
interface GigabitEthernet1/0/11
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/12
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/13
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/14
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/15
description DMZ
--More-- switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/16
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/17
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/18
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/19
description DMZ
switchport access vlan 5
switchport mode access
!
--More-- interface GigabitEthernet1/0/20
description DMZ
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/23
description INTERNET
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/24
description WATCHGUARD FIREWALL PORT 0
switchport access vlan 5
switchport mode access
!
--More-- interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
description DO NOT USE
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
shutdown
!
interface Vlan5
description DMZ
--More-- ip address 16.66.77.177 255.255.255.224
ip access-group DMZ-IN in
ip access-group DMZ-OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
!
ip default-gateway 16.66.77.161
ip classless
ip route 0.0.0.0 0.0.0.0 16.66.77.161
no ip http server
no ip http secure-server
!
ip access-list extended DMZ-IN
remark ACL RULES ON TRAFFIC FROM DMZ SERVERS
remark ALLOW ALL OUTBOUND TRAFFIC FROM DMZ SERVERS
permit ip any any
ip access-list extended DMZ-OUT
remark PERMIT ICMP TRAFFIC
permit icmp any 16.66.77.176 0.0.0.15
remark ACL RULES ON TRAFFIC TO DMZ SERVERS
remark ALLOW ESTABLISHED TCP TRAFFIC
--More-- permit tcp any 16.66.77.176 0.0.0.15 established
permit udp any host 16.66.77.178 gt 1024
permit tcp any any eq 1433
permit udp any any eq 1434
permit esp any any
permit udp any any eq isakmp
permit gre any any
permit tcp any host 16.66.77.178 gt 1024
permit tcp host 16.66.77.166 host 16.66.77.179 eq www
permit tcp 8.178.59.240 0.0.0.3 host 16.66.77.179 eq www
permit tcp 73.160.120.16 0.0.0.3 host 16.66.77.179 eq www
permit tcp any host 16.66.77.179 gt 1024
permit udp any host 16.66.77.179 gt 1024
permit tcp 73.160.120.16 0.0.0.3 host 16.66.77.180 eq www
permit tcp host 16.66.77.166 host 16.66.77.180 eq www
permit tcp 8.178.59.240 0.0.0.3 host 16.66.77.180 eq www
permit tcp any host 16.66.77.185 eq 1755
permit udp any host 16.66.77.185 eq 1755
permit udp any host 16.66.77.185 eq 5005
permit tcp any host 16.66.77.185 eq 5005
permit udp any host 16.66.77.182 eq 1719
permit tcp any host 16.66.77.182 eq 1720
permit tcp any host 16.66.77.182 gt 49151
--More-- permit udp any host 16.66.77.182 gt 49151
permit tcp any host 16.66.77.183 gt 49151
permit udp any host 16.66.77.183 gt 49151
permit tcp any host 16.66.77.184 eq telnet
permit udp any host 16.66.77.179 eq 1719
permit udp any host 16.66.77.179 eq snmp
permit tcp any host 16.66.77.179 eq 1720
permit tcp any host 16.66.77.179 eq 5060
permit tcp any host 16.66.77.179 eq 1755
permit tcp any host 16.66.77.179 eq 554
permit tcp any host 16.66.77.179 eq ftp
permit udp any host 16.66.77.179 eq 5060
permit tcp host 16.66.77.166 host 16.66.77.184 eq 443
permit tcp host 73.160.120.17 host 16.66.77.184 eq 443
permit tcp host 73.160.120.17 host 16.66.77.184 eq www
permit tcp host 16.66.77.166 host 16.66.77.184 eq www
permit tcp host 73.160.120.17 host 16.66.77.184 eq 554
permit tcp any host 16.66.77.184 range 10000 10200
permit udp any host 16.66.77.184 range 15000 16000
permit tcp host 16.66.77.166 host 16.66.77.186 eq 22
permit tcp host 73.160.120.17 host 16.66.77.186 eq 22
permit tcp any host 16.66.77.186 eq 1720
permit udp any host 16.66.77.186 eq 1719
--More-- permit udp any host 16.66.77.186 range 50000 60000
permit tcp any host 16.66.77.186 range 30000 60000
permit tcp any host 16.66.77.186 eq 1935
permit tcp host 16.66.77.166 host 16.66.77.186 eq 9000
permit tcp host 73.160.120.17 host 16.66.77.186 eq 9000
permit udp any host 16.66.77.186 eq 11935
permit tcp any host 16.66.77.186 eq 5060
permit udp any host 16.66.77.186 eq 5060
permit tcp any host 16.66.77.186 eq domain
permit udp any host 16.66.77.186 eq domain
permit tcp host 16.66.77.166 host 16.66.77.185 eq www
permit tcp host 16.66.77.166 host 16.66.77.185 eq 443
permit tcp host 73.160.120.17 host 16.66.77.185 eq www
permit tcp host 73.160.120.17 host 16.66.77.185 eq 443
permit tcp host 8.8.8.8 host 16.66.77.186 gt 1023
permit udp host 8.8.8.8 host 16.66.77.186 gt 1023
deny ip any any log
ip access-list extended dmz-out
!
ip sla enable reaction-alerts
access-list 1 permit 16.66.77.166
access-list 1 permit 192.18.0.0 0.0.255.255
access-list 2 permit 16.66.77.166
--More-- access-list 2 permit 192.18.0.0 0.0.255.255
access-list 3 permit 16.66.77.166
access-list 3 permit 192.18.0.0 0.0.255.255
snmp-server community wadz15kG RO 2
snmp-server community WkI4k9Nc RW 3
!
!
line con 0
exec-timeout 30 0
logging synchronous
line vty 0 4
access-class 1 in
exec-timeout 30 0
logging synchronous
transport input ssh
line vty 5 15
access-class 1 in
exec-timeout 30 0
logging synchronous
transport input ssh
!
end
3750X-24T#