07-15-2010 05:14 AM - edited 03-06-2019 12:02 PM
Hi,
Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)
I would like to block TCP traffic initiated from Vlan 20 to Vlan 10.
But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20
did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.
Or it works both directions or is works non directions..
ip access-list extended test-in
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 established
permit ip any any
Your help is appreciated.
Thanks,
Gerrit
Solved! Go to Solution.
07-15-2010 06:01 AM
Hello,
If you want to stop VLAN 20 from opening connection to VLAN 10, then you need to block SYN from VLAN 20.
ip access-list extended test-in
permit tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 ack
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 syn
permit ip any any
int vlan 20
ip access-group test-in in
Hope this helps.
Regards,
NT
07-15-2010 05:42 AM
gerritfrans wrote:
ip access-list extended test-in
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 established
permit ip any any
Look, you forget that ACL is applied not only on traffic initiated from one subnet, but also to "reply" traffic. Your packets are delivered to the restricted subnet, but the reply packets also matches the ACL and are blocked.
For example, when 20.0.0.1 is connecting to 10.0.0.1 (which is allowed) the reply packets destined from 10.0.0.0 /24 subnet to 20.0.0.0/24 subnet are blocked as they have to be.
IMHO, you rather need stateful firewall to achieve your target. Set the ACL on the 20.0.0.0 subnet interface and activate ip inspections for tcp, udp and icmp. In that case the holes for reply traffic will be created automatically.
04-10-2020 02:35 PM
The keyword established is not supported in my PT file
07-15-2010 06:01 AM
Hello,
If you want to stop VLAN 20 from opening connection to VLAN 10, then you need to block SYN from VLAN 20.
ip access-list extended test-in
permit tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 ack
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 syn
permit ip any any
int vlan 20
ip access-group test-in in
Hope this helps.
Regards,
NT
07-15-2010 06:07 AM
And what about udp or icmp traffic?
It is not a good variant, IMHO.
Sorry, I was not enough attentive. My mistake.
12-12-2011 11:53 AM
works well thank you
02-11-2021 03:47 AM
Hi,
I have the same issue, But my packet tracer is not recognized with ack ,syn keywords
any suggestions?
Regards,
Nati
02-11-2021 05:47 AM
Hello,
Packet Tracer does indeed not have these options. There is not really an alternative other than using another simulator such as GNS3 (which features full IOS software) or real devices...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide