Access Control List Config

Unanswered Question
May 8th, 2009


Attached is a basic representation of my network topology.

Before I attempt to apply any ACL's to the live environment, I have duplicated the basic topology in Packet Tracer,

so I can modify with the config without having any impact.

What I am trying to accomplish is to prevent all hosts on Network B, gaining access to Network A, but still allowing them access to Server X and other areas, not shown in the topology. Whilst still allowing hosts on Network A access to Server X and Network B.

If I apply a standard ACL to Fa 0/0.4, as follows:-

int fa 0/0.4

ip access-group Block_DD out

ip access-list standard Block_DD


permit any

traffic from Network B is blocked, but the traffic from Network A across to Network B is also blocked,

which is not what I am trying to accomplish.

If I apply an extended ACL to Fa 0/0.3, as follows:-

int fa 0/0.3

ip access-group Block_DD in

ip access-list extended Block_DD

deny ip

permit ip any any

the same problem occurs where traffic from Network B is blocked, but the traffic from Network A across to Network B is also blocked, which again, is not what I am trying to accomplish.

Could someone please advise where I am going wrong or whether I am omitting some obvious permit/deny statements?

All guidance greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
donlerche Fri, 05/08/2009 - 06:17


Neither of the access lists you have used are blocking traffic from Network A to Network B. The reason they don't work and appear to block this traffic is because you are blocking in the direction from Network B to Network A, and communication between two devices depends on a two-way path.

If you only have one or two devices on network B that need to be accessable from Network A, then the simplest way to achieve your requirements is by your second extended ACL on the input of Fa0/0.3, but before the deny statement you need to add one or more permits to allow traffic between the particular host(s) on Network B and the specific host(s)on Network A.

If however you need to be able to access everything on Network B from Network A, then you cannot limit traffic in the opposite direction in this way.

Hope this helps


thotsaphon Fri, 05/08/2009 - 09:11


Edit: Sorry I missed reading your question. You want to allow only A to access B but not for B to access A. Right?

It can't be done with ACL. Because it's a stateless protocol. A will be blocked when traffic going back from B to A(Blocked by ACL as well). That's why you cannot go from A to B and vise versa.



Jon Marshall Fri, 05/08/2009 - 11:23


As the others have said the problem you have is that if you deny traffic from B to A then the return traffic from a connection initiated from A to B is also blocked.

However you can use reflexive acl's to overcome this. Reflexive acl's will allow you to say "allow traffic from A -> B and return traffic from B -> A that is part of the same connection" but "do not allow traffic to be initiated from network B -> A. See this link for details -


Jon Marshall Fri, 05/08/2009 - 12:48


I did a quick lab setup. I used tcp traffic as an example but if you look at the reference in my previous post you can see how to do udp and icmp as well.

On the 6500 switch


ip reflexive-list timeout 120

ip access-list extended inbound

permit tcp any any reflect tcptraffic

ip access-list extended outbound

evaluate tcptraffic

int fa0/0.4

ip access-group inbound in

ip access-group outbound out

The above config will allow all hosts on A to connect to server X and any hosts on B using any TCP application. It will allow return traffic from server X and network B to A.

It will not allow any traffic to be initiated from network B to network A nor from server X to network A.

Hopefully this example should give you a good start and you should be able to modify to meet your requirements.


Hawkgromit Tue, 05/12/2009 - 03:28

Hi Jon,

Thanks for your very valuable input. I will certainly read up on the reflexive access control lists.

I did try to modify my existing packet tracer lab, but the IOS version does not support reflexive-lists, so will have to try other lab options to play with the config.



This Discussion