Unanswered Question
Feb 13th, 2008
User Badges:


I have 2 networks. (vlan routing) X and Y. I want these:

X can reach Y

Y can not reach X

I have to apply Y's interface.

This looks like very simple but, When X's want to reach Y, X can not return from Y.

Please help.. Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aijaz802 Wed, 02/13/2008 - 03:26
User Badges:
  • Bronze, 100 points or more


I think this should work... apply on Y interface out...

access-list 101 deny ip y-subnet y-mask x-subnet x-mask

access-list 101 permit ip any any

What do you think...

Rate if it helps....



Goutam Sanyal Wed, 02/13/2008 - 03:27
User Badges:
  • Silver, 250 points or more


put the access-list vice-versa.


Pls rate if it works

kzhen Wed, 02/13/2008 - 10:24
User Badges:

int vlan y

ip access-group 101 in

access-list 101 deny ip y-subnet y-mask x-subnet x-mask

access-list 101 permit ip any any

Istvan_Rabai Wed, 02/13/2008 - 10:54
User Badges:
  • Gold, 750 points or more

Hi Muhammed,

It is simple to solve this if you use tcp as the transport protocol.

access-list 101 permit tcp y-subnet y-mask x-subnet x-mask established

Apply this to the Y interface as "in".

The key here is the "established" keyword:

The access-list will only allow tcp packets where ACK or RST bits set from Y-subnet to X-subnet.

The effect of this will be the following:

Hosts on X-subnet will be able to initiate tcp connections, hosts on Y-subnet will be able to reply (ACK bit set).

Hosts on Y-subnet will not be able to initiate connections to X-subnet because their initial tcp packet will not have the ACK bit set, so the access-list will filter these packets.

Try this. It should work.



Richard Burts Wed, 02/13/2008 - 11:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I like the suggestion from Istvan. It addresses part of an issue that may not be obvious. When you have requirements that X should access Y but Y should not access X then you have difficulties in trying to do it with access lists because access lists do not generally distinguish between what is an attempt to initiate traffic and what is a response to traffic initiated from the other side. So when your access list has a deny with the Y address and mask as the source it will deny both traffic intiated from Y to X and will also deny traffic that is response from Y to X.

The TCP established is the one thing in access lists that does make this distinction. But it only does it for TCP traffic. To solve your requirements that X should access Y (and receive responses from Y) you need stateful inspection. If you have the right feature set in the code running on your router you should be able to configure ip inspect (or CBAC) to achieve what you have as your requirement.



Muhammed AKYUZ Wed, 02/13/2008 - 23:27
User Badges:


i have solved the problem via tcp "estableshed" command.


Y's in interface:

deny ip any any

permit tcp any any established

Thank you for all..

ncglass Thu, 02/14/2008 - 07:26
User Badges:

except in reverse order, right?

This got me thinking... I wonder if there is a hack that could be run on a compromised "Y" webserver that would spoof an ACK bit set that would allow access (DOS, etc?) into the secure X network.

Muhammed AKYUZ Thu, 02/14/2008 - 07:34
User Badges:

Yes, you are right. You can manually change the ACK bit to 1 than you can pass router. A statefull firewall is better but i use this in Local Network at backbone.

Istvan_Rabai Thu, 02/14/2008 - 11:54
User Badges:
  • Gold, 750 points or more

Hi Muhammed,

If my suggestion with the "established" keyword was succesful for you, could you please rate my post, thereby giving an evaluation to my help.

Many thanks:



This Discussion