NEED VLAN ACLs

Unanswered Question
Feb 22nd, 2007

Hey Everyone,

I have 3 networks:

Protected 172.18.0.0/24 Vlan 1

DMZ - 10.0.0.0/24 ->Vlan 1

192.168.1.0/24 ->Vlan 100

I need ACLs on the VLAN 100 to disallow traffic from the 192.168.1.0 to initiate to anywhere with exception of 10.0.0.1.

However, My DMZ and Protected should be able to connect to this vlan 100.

How would I go about this? Please provide an example.

Thanks

Ryan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
purohit_810 Thu, 02/22/2007 - 11:56

Ryan,

Good. Please tell me one thing... r u doing inter VLAn configuration???

If yes, You can configure access-list at apply on sub interface.

Look router ACL configuration END or this chat.

_____________________________________________

If it is on separete interafce on PIX FIREWALL... in that case, you have to put following command.

access-list From-v100-v1 deny tcp 192.168.1.0 0.0.0.255 172.18.0.0 0.0.255.255

NOW PUT IT ON INTERFACE WHERE IS VLAN 100 CONNECTED

access-group From-v100-v1 in interface {Interface No}

Interface No: connected VLAN 100

______________________________________________

On ROuter:

access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.18.0.0 0.0.255.255

acess-list 101 permit any any

Above created access-list put on interface, where vlan 100 connected.

int {interface No}

ip access-group 101 out

If still you are not able to solve the problem, please revert with proper diagram.

Regards,

Dharmesh Purohit

purohit_810 Thu, 02/22/2007 - 13:10

access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.18.0.0 0.0.255.255

acess-list 101 permit any any

int vlan 100

ip access-group in

Regards,

Dharmesh Purohit

acomiskey Thu, 02/22/2007 - 13:12

^^ The problem with that is he wants 172.18 to be able to initiate connection to 192.168. With that acl 172.18 traffic would hit 192.168 but the reply from 192.168 would be denied, right?

acomiskey Thu, 02/22/2007 - 12:46

I thought so..allowing 192.168.1.0 to only initiate to 10.0.0.1 is easy.

access-list 100 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1

access-list 100 deny ip 192.168.1.0 0.0.0.255 any

int vlan 100

ip access-group 100 in

The issue you will run into is the switch is not stateful like a firewall. So with the above access-list you would also block the replies from 192.168.1.0 to to anywhere else. You could add

access-list 100 permit tcp 192.168.1.0 0.0.0.255 any established

which would allow return tcp traffic to flow back to 172.18.0.0 etc., but note this only works for tcp traffic, not udp. All in all, a switch is really not the greatest solution here, but it is possible, it just gets a little ugly.

rostoski123 Thu, 02/22/2007 - 17:59

Yeah, I was under the impression that the established only allows traffic back in that originates from inside.

access-list 100 permit tcp 192.168.1.0 0.0.0.255 any established

would only allow return traffic? Thats where I am confused. Thanks

acomiskey Thu, 02/22/2007 - 19:19

ok, if 172.18.x.x initiated a tcp connection to 192.168.1.x the traffic would be allowed as you do not have an acl applied to vlan 100 with "ip access-group 100 out".

When 192.168.0.x replied to that connection, the traffic would be filtered by access-list 100 because it is applied into vlan 100. Without the keyword, the switch will drop the packet as you are not permitting 192.168.1.0 to 172.18.0.0 in your acl. But, by adding the established keyword to the acl the switch can be smart enough and act like a stateful firewall to allow the return traffic to flow. But like I said, this only works for tcp, so anything udp you would pretty much have to open up. Hopefully that makes sense.

Actions

This Discussion