Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17643
Views
0
Helpful
7
Replies

ACL block TCP traffic one way.

Go to solution
gerritfrans
Level 1
Level 1

‎07-15-2010 05:14 AM - edited ‎03-06-2019 12:02 PM

Hi,

Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)

I would like to block TCP traffic initiated from Vlan 20 to Vlan 10.

But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20

did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.

Or it works both directions or is works non directions..

ip access-list extended test-in
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 established
permit ip any any

Your help is appreciated.

Thanks,

Gerrit

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-15-2010 06:01 AM

Hello,

If you want to stop VLAN 20 from opening connection to VLAN 10, then you need to block SYN from VLAN 20.

ip access-list extended test-in

permit tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 ack

deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 syn

permit ip any any

int vlan 20

ip access-group test-in in

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Alen Danielyan
Level 1
Level 1

‎07-15-2010 05:42 AM 

gerritfrans wrote:
ip access-list extended test-in
 deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 established
 permit ip any any

Look, you forget that ACL is applied not only on traffic initiated from one subnet, but also to "reply" traffic. Your packets are delivered to the restricted subnet, but the reply packets also matches the ACL and are blocked.

For example, when 20.0.0.1 is connecting to 10.0.0.1 (which is allowed) the reply packets destined from 10.0.0.0 /24 subnet to 20.0.0.0/24 subnet are blocked as they have to be.

IMHO, you rather need stateful firewall to achieve your target. Set the ACL on the 20.0.0.0 subnet interface and activate ip inspections for tcp, udp and icmp. In that case the holes for reply traffic will be created automatically.

0 Helpful

Go to solution
aarzoopatel
Level 1
Level 1
In response to Alen Danielyan

‎04-10-2020 02:35 PM

The keyword established is not supported in my PT file

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-15-2010 06:01 AM

Hello,

If you want to stop VLAN 20 from opening connection to VLAN 10, then you need to block SYN from VLAN 20.

ip access-list extended test-in

permit tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 ack

deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 syn

permit ip any any

int vlan 20

ip access-group test-in in

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
Alen Danielyan
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-15-2010 06:07 AM

And what about udp or icmp traffic?


It is not a good variant, IMHO.

Sorry, I was not enough attentive. My mistake.

0 Helpful

Go to solution
power.srvi
Level 1
Level 1
In response to Nagaraja Thanthry

‎12-12-2011 11:53 AM

works well thank you 

0 Helpful

Go to solution
NetanelSaadon02017
Level 1
Level 1
In response to Nagaraja Thanthry

‎02-11-2021 03:47 AM

Hi,

 

I have the same issue, But my packet tracer is not recognized with ack ,syn keywords

any suggestions?

 

Regards,

 

Nati

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to NetanelSaadon02017

‎02-11-2021 05:47 AM

Hello,

 

Packet Tracer does indeed not have these options. There is not really an alternative other than using another simulator such as GNS3 (which features full IOS software) or real devices...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card