02-22-2007 11:32 AM - edited 03-05-2019 02:31 PM
Hey Everyone,
I have 3 networks:
Protected 172.18.0.0/24 Vlan 1
DMZ - 10.0.0.0/24 ->Vlan 1
192.168.1.0/24 ->Vlan 100
I need ACLs on the VLAN 100 to disallow traffic from the 192.168.1.0 to initiate to anywhere with exception of 10.0.0.1.
However, My DMZ and Protected should be able to connect to this vlan 100.
How would I go about this? Please provide an example.
Thanks
Ryan
02-22-2007 11:41 AM
What device are we talking about here?
02-22-2007 11:56 AM
Ryan,
Good. Please tell me one thing... r u doing inter VLAn configuration???
If yes, You can configure access-list at apply on sub interface.
Look router ACL configuration END or this chat.
_____________________________________________
If it is on separete interafce on PIX FIREWALL... in that case, you have to put following command.
access-list From-v100-v1 deny tcp 192.168.1.0 0.0.0.255 172.18.0.0 0.0.255.255
NOW PUT IT ON INTERFACE WHERE IS VLAN 100 CONNECTED
access-group From-v100-v1 in interface {Interface No}
Interface No: connected VLAN 100
______________________________________________
On ROuter:
access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.18.0.0 0.0.255.255
acess-list 101 permit any any
Above created access-list put on interface, where vlan 100 connected.
int {interface No}
ip access-group 101 out
If still you are not able to solve the problem, please revert with proper diagram.
Regards,
Dharmesh Purohit
02-22-2007 12:27 PM
Its on a Layer 3 Cisco switch
02-22-2007 01:10 PM
access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.18.0.0 0.0.255.255
acess-list 101 permit any any
int vlan 100
ip access-group in
Regards,
Dharmesh Purohit
02-22-2007 01:11 PM
sORRY IGRNORE PREVIOUS POST
02-22-2007 01:12 PM
^^ The problem with that is he wants 172.18 to be able to initiate connection to 192.168. With that acl 172.18 traffic would hit 192.168 but the reply from 192.168 would be denied, right?
02-22-2007 12:46 PM
I thought so..allowing 192.168.1.0 to only initiate to 10.0.0.1 is easy.
access-list 100 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
int vlan 100
ip access-group 100 in
The issue you will run into is the switch is not stateful like a firewall. So with the above access-list you would also block the replies from 192.168.1.0 to to anywhere else. You could add
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any established
which would allow return tcp traffic to flow back to 172.18.0.0 etc., but note this only works for tcp traffic, not udp. All in all, a switch is really not the greatest solution here, but it is possible, it just gets a little ugly.
02-22-2007 05:59 PM
Yeah, I was under the impression that the established only allows traffic back in that originates from inside.
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any established
would only allow return traffic? Thats where I am confused. Thanks
02-22-2007 07:19 PM
ok, if 172.18.x.x initiated a tcp connection to 192.168.1.x the traffic would be allowed as you do not have an acl applied to vlan 100 with "ip access-group 100 out".
When 192.168.0.x replied to that connection, the traffic would be filtered by access-list 100 because it is applied into vlan 100. Without the keyword, the switch will drop the packet as you are not permitting 192.168.1.0 to 172.18.0.0 in your acl. But, by adding the established keyword to the acl the switch can be smart enough and act like a stateful firewall to allow the return traffic to flow. But like I said, this only works for tcp, so anything udp you would pretty much have to open up. Hopefully that makes sense.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: