Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACL block TCP traffic one way.

Hi,

Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)

I would like to block TCP traffic initiated from Vlan 20 to Vlan 10.

But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20

did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.

Or it works both directions or is works non directions..

ip access-list extended test-in
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 established
permit ip any any

Your help is appreciated.

Thanks,

Gerrit

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACL block TCP traffic one way.

Hello,

If you want to stop VLAN 20 from opening connection to VLAN 10, then you need to block SYN from VLAN 20.

ip access-list extended test-in

permit tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 ack

deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 syn

permit ip any any

int vlan 20

ip access-group test-in in

Hope this helps.

Regards,

NT

4 REPLIES
Community Member

Re: ACL block TCP traffic one way.

gerritfrans wrote:

ip access-list extended test-in
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 established
permit ip any any

Look, you forget that ACL is applied not only on traffic initiated from one subnet, but also to "reply" traffic. Your packets are delivered to the restricted subnet, but the reply packets also matches the ACL and are blocked.

For example, when 20.0.0.1 is connecting to 10.0.0.1 (which is allowed) the reply packets destined from 10.0.0.0 /24 subnet to 20.0.0.0/24 subnet are blocked as they have to be.

IMHO, you rather need stateful firewall to achieve your target. Set the ACL on the 20.0.0.0 subnet interface and activate ip inspections for tcp, udp and icmp. In that case the holes for reply traffic will be created automatically.

Cisco Employee

Re: ACL block TCP traffic one way.

Hello,

If you want to stop VLAN 20 from opening connection to VLAN 10, then you need to block SYN from VLAN 20.

ip access-list extended test-in

permit tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 ack

deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 syn

permit ip any any

int vlan 20

ip access-group test-in in

Hope this helps.

Regards,

NT

Community Member

Re: ACL block TCP traffic one way.

And what about udp or icmp traffic?


It is not a good variant, IMHO.

Sorry, I was not enough attentive. My mistake.

Community Member

Re: ACL block TCP traffic one way.

works well thank you 

9012
Views
0
Helpful
4
Replies
CreatePlease to create content