Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL Question

I am wondering if it is possible to allow traffic from one host to another in a particular direction, while denying the traffic from the another direction.

For example, VLAN10 contains a PC with the IP of 10.10.10.10/24. VLAN10's interface is 10.10.10.1/24. VLAN20 contains a PC with the IP address of 10.20.20.20/24. VLAN20's interface IP address is 10.20.20.1/24.

Basically, I want to be able to access 10.20.20.0/24 network from 10.10.10.10, but I do not want 10.20.20.20 to be able to access anything in the 10.10.10.0/24 network. What I am looking for is to be able to permit/deny access to certain networks based on what the source IP is.

I am confused on how to configure the ACLs - inbound, outbound or both on the VLAN interfaces.

Any info would be appreciated.

1 REPLY
Gold

Re: ACL Question

You really cannot only allow traffic in only a single direction. The response to your session has to be allowed somehow.

In the most simple case for TCP you can use the established option.

permit 110 tcp 10.20.20.0 0.0.0.255 host 10.10.10.10 established

This is applied inbound on vlan20

This has limited use in that it only supports TCP and has trouble with applications that attempt to open a second session back to the orginating machine.

The other methods are reflexive access lists and Context-Based Access Control (CBAC) both of which are parts of firewall features and will depend on IOS levels and platform as to what is supported.

119
Views
8
Helpful
1
Replies