ACL question

Unanswered Question
Aug 12th, 2008

I have 2 subnets 10.x and 1.x with a router between them

I have a pix on the 1.x network that does the NATing for both the 10 and 1 networks to access the internet.

I want 2 computers from the 10.x network to be able to access the 1.x computers but do not want the 1.x computers to access the 10.x computers

here is my access list that i have right now

interface Ethernet0

ip address 192.168.1.254 255.255.255.0

ip access-group 100 out

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

interface Ethernet1

ip address 192.168.10.1 255.255.255.0

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1 permanent

logging buffered 4096 debugging

no logging console

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any host 192.168.1.1

access-list 100 permit ip any host 192.168.1.199

access-list 100 permit ip host 192.168.10.29 192.168.1.0 0.0.0.255

access-list 100 permit ip host 192.168.10.35 192.168.1.0 0.0.0.255

access-list 100 permit ip any 192.168.100.0 0.0.0.255

access-list 100 deny ip any 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

I was thinking i need to create a 101 access-group deny any INCOMING

Any ideas

Thanks

Bill

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Daniel Voicu Tue, 08/12/2008 - 05:17

Hi Bill,

It depends on what IOS do you have on the router.

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL icmp

interface Ethernet1

ip access-group 101 in

ip inspect FIREWALL out

If you can enter the lines below, you have an IOS that supports statefull firewall, and also you got yourself the first statefull firewall.

To better understand how it works try:

http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdcbac.html#wp1002187

Please rate if this helped.

Regards,

Daniel

bkennedy32 Tue, 08/12/2008 - 05:34

Thanks for the reply its a old router about 5 years old. not relying on the fire wall rules

would

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

get my what i need?

deying incoming traffic from the 1.x network , would this stop my internet traffic where , the pix is on the 1.x its ip 1.1 and how does the access-list 101 permit ip any any need to be there?

Thanks again so much

Daniel Voicu Tue, 08/12/2008 - 09:17

If the IOS is too old, the ACL 101 will not solve your problem, since it will block both the traffic from 1.x to 10.x and the reverse.

There is a way to allow the traffic but is only for TCP traffic:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 established

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

Basically, this ACL will allow only the established TCP communication (the one initiated by 10.x) to pass. The traffic initiated by 1.x to 10.x will be blocked.

Please note that this works only for TCP traffic.

For UDP, you need to either deny all or permit all.

Please rate if this helped.

Regards,

Daniel

Marwan ALshawi Tue, 08/12/2008 - 19:26

Daniel is right

i just got confised

Hoever

Daniel ACL will allow all 192.168.10.0 to communicate with the 1.x network

while as i can see from his requiremnt he wants only two PC to have that access!!

access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.10.29 established

access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.10.35 established

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

and apply it on

interface Ethernet0

ip access-group 101 in

this way will more precise

for your information

it could be don more spesific and secure if u have IOS firewall and configure IOS firewall ZONE-BASED

good luck

Actions

This Discussion