ACL question

Unanswered Question
Aug 12th, 2008
User Badges:


I have 2 subnets 10.x and 1.x with a router between them


I have a pix on the 1.x network that does the NATing for both the 10 and 1 networks to access the internet.


I want 2 computers from the 10.x network to be able to access the 1.x computers but do not want the 1.x computers to access the 10.x computers


here is my access list that i have right now

interface Ethernet0

ip address 192.168.1.254 255.255.255.0

ip access-group 100 out

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

interface Ethernet1

ip address 192.168.10.1 255.255.255.0

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1 permanent

logging buffered 4096 debugging

no logging console

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any host 192.168.1.1

access-list 100 permit ip any host 192.168.1.199

access-list 100 permit ip host 192.168.10.29 192.168.1.0 0.0.0.255

access-list 100 permit ip host 192.168.10.35 192.168.1.0 0.0.0.255

access-list 100 permit ip any 192.168.100.0 0.0.0.255

access-list 100 deny ip any 192.168.1.0 0.0.0.255

access-list 100 permit ip any any



I was thinking i need to create a 101 access-group deny any INCOMING


Any ideas


Thanks

Bill


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Daniel Voicu Tue, 08/12/2008 - 05:17
User Badges:
  • Silver, 250 points or more

Hi Bill,


It depends on what IOS do you have on the router.


access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any


ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL icmp


interface Ethernet1

ip access-group 101 in

ip inspect FIREWALL out


If you can enter the lines below, you have an IOS that supports statefull firewall, and also you got yourself the first statefull firewall.


To better understand how it works try:

http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdcbac.html#wp1002187


Please rate if this helped.


Regards,

Daniel

bkennedy32 Tue, 08/12/2008 - 05:34
User Badges:

Thanks for the reply its a old router about 5 years old. not relying on the fire wall rules


would

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any


get my what i need?


deying incoming traffic from the 1.x network , would this stop my internet traffic where , the pix is on the 1.x its ip 1.1 and how does the access-list 101 permit ip any any need to be there?


Thanks again so much



Daniel Voicu Tue, 08/12/2008 - 09:17
User Badges:
  • Silver, 250 points or more

If the IOS is too old, the ACL 101 will not solve your problem, since it will block both the traffic from 1.x to 10.x and the reverse.


There is a way to allow the traffic but is only for TCP traffic:


access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 established

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any


Basically, this ACL will allow only the established TCP communication (the one initiated by 10.x) to pass. The traffic initiated by 1.x to 10.x will be blocked.


Please note that this works only for TCP traffic.

For UDP, you need to either deny all or permit all.


Please rate if this helped.


Regards,

Daniel

Marwan ALshawi Tue, 08/12/2008 - 19:26
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

Daniel is right

i just got confised

Hoever

Daniel ACL will allow all 192.168.10.0 to communicate with the 1.x network

while as i can see from his requiremnt he wants only two PC to have that access!!




access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.10.29 established

access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.10.35 established

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any


and apply it on


interface Ethernet0

ip access-group 101 in


this way will more precise


for your information


it could be don more spesific and secure if u have IOS firewall and configure IOS firewall ZONE-BASED



good luck






Actions

This Discussion