×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Extended IP ACL

Unanswered Question
Apr 4th, 2012
User Badges:

Hello,


Let's say I have Gi0/0 - 172.16.0.0/27 and Gi0/2 - 172.16.2.0/23.

I need to access everything from first network to second but nothing from 172.16.2.0/23 to 172.16.0.0/27.


I'm very beginner, I can't figure the ACL..


Thanks !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Zeeshan Siddiqui Wed, 04/04/2012 - 03:26
User Badges:

Hi Adrian,


Please go through following link


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml


Configure ACL below


conf t

IP access-list extended test

deny ip 172.16.2.0/23 172.16.0.0/27  (you may have to change to wild card mask depending on the router / L3 switch you are using)


int Gi0/0 

ip access-group test in


The ACL is going to match the soucre and destination ip address when it enters interface Gi0/0


This will block traffic coming from 172.16.2.0/23 when it hit your Gi0/0 interface


They are a number of ways of applying an ACL please go through URL If you are new to ACL I would test in a test LAB and not in production


I hope this answer your questions

Adrian Ardelean Wed, 04/04/2012 - 03:47
User Badges:

I did this way:


..

deny ip 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31

...


the problem is  I lost connection from 172.16.0.0/27 to router


If I ping the gateway (172.16.0.1) from a windows host it gives me:

Destination net unreachable


Zeeshan Siddiqui Wed, 04/04/2012 - 04:16
User Badges:

Hi Adrian,


Are you usinging a L3 switch here ?


Can you post a basic diagram of your setup including gateways and where you test PC is connected (I believ this is a Lab envirement) and remove the config mentioned above as it will block all traffic when you match following criteria


172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31 entering Gi0/0.


For example if you ping 172.16.2.5 from host 172.16.0.5


The traffic will leave Gi0/0 interface and hit 172.16.2.5  the ip header will look like  [ source 172.16.0.5 | destination 172.16.2.5 ]


Now with the return traffic the header will look like [ source 172.16.2.5 | destination 172.16.0.5 ] and will be blocked with ACL


in short the ACL mentioned above will block traffic when the IP header contains a source address 172.16.2.x and destination header 172.16.0.x hitting the Gi0/0 interface (in) direction

Adrian Ardelean Wed, 04/04/2012 - 04:25
User Badges:

Hi Zeeshan,


It's a 2921 router and it's intended to use for network segmentation. For the moment, yes, it's in a testing env., I have two PCs connected to each interface.


PC1: 172.16.0.3     GW: 172.16.0.1 (Gi0/0)

PC2: 172.16.2.100  GW: 172.16.2.1 (Gi0/2)


The Gi0/0-3 are L3 but I also have a EHWIC-D-8ESG with L2 ports (gi0/1/0-7) that I will use later.


Thanks

Neeraj Arora Wed, 04/04/2012 - 08:35
User Badges:
  • Silver, 250 points or more

Adrian,


I can give you a solution...well more of an option to accomplish what you are looking for but this will only work for TCP connections, not for ICMP or UDP. They would either be allowed or blocked


Use the Established keyword in ACL which will only allow response traffic from 172.16.2.0/23 subnet going to 172.16.0.0/27, nothing initiated from this 172.16.2.0/23 subnet would be allowed


Config will look like this:


access-list 100 permit tcp 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31 established

access-list 100 deny tcp 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31     --> this will allow UDP and ICMP initiated from this subnet

access-list 100 deny ip 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31   --> This will block everything including UDP & ICMP which is initiated from this subnet, so use either one of these lines in the ACL

access-list 100 permit ip 172.16.2.0 0.0.1.255 any     --> To allow traffic going towards internet, if you want to allow that for future


interface gig0/2

ip access-group 100 in



Apart from this, you have an option of using CBAC functionality in routers but that is dependant on the IOS being used and honestly I am not an expert in that, so would suggest you to dig more into this topic before thinking of implementing it


Hope the above option helps


Neeraj

Zeeshan Siddiqui Wed, 04/04/2012 - 09:32
User Badges:

Hi Adrian,


I completely agree with Neraaj


I have actually done some testing in a Lab enviroment using a 3750 you have to use the establish keyword for one way traffic for TCP.


You can try with suggestion below if Neeraj advice does not full fill your requirements


Another option would be Reflexive ACL again it depend on your router model / IOS unfortunately can not test in my lab as it is not supported on a 3750.


The URL below can be helpfull


http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html

Actions

This Discussion