12-13-2011 04:13 AM - edited 03-07-2019 03:52 AM
Hi all experts
i hae two vlans where i should allow one way communication not two way. how to accomplish this.
vlan 99------------------->vlan 50 (10.10.18.0/24) allow
vlan 99 < ---xxxxxxxx---vlan 50 shouldnt allow.
1. vlan 99 ----10.10.10.180 -----should communicate with ------------vlan 50 all subnet (10.10.18.0/24)
2. vlan 50 -----10.10.18.0/24 ----shouldnt communicate with ------vlan99's IP 10.10.10.180
here is sample i have done but couldnt succeed...this isnot the correct config i believe as i could ping from any of the source of one vlan (10.10.18.0/24)to other vlan 99(10.10.10.180)
interface Vlan50
description vlan for isolatedServers
ip address 10.10.18.1 255.255.255.0
ip access-group vlan-50 in
ip access-group ONEserver-ACL out
ip access-list extended ONEserver-ACL
permit ip host 10.10.10.180 10.10.18.0 0.0.0.255
ip access-list extended vlan-50
permit ip 10.10.18.0 0.0.0.255 host 10.10.11.14
deny ip 10.10.18.0 0.0.0.255 host 10.10.10.180
deny ip any any
thanks & regards
srikanth
Solved! Go to Solution.
12-13-2011 04:50 AM
Hi,
except for TCP where you could do an ACL looking for SYN flag, there is no way to accomplish this with a simple ACL.
You'll have to use a stateful firewall( either a router with CBAC or ZBF or an ASA) .
Regards.
Alain
12-13-2011 04:50 AM
Hi,
except for TCP where you could do an ACL looking for SYN flag, there is no way to accomplish this with a simple ACL.
You'll have to use a stateful firewall( either a router with CBAC or ZBF or an ASA) .
Regards.
Alain
12-13-2011 05:03 AM
THanks alain
but can you explain me how this is not possible..
for my understanding
if we ping from 10.10.10.180 to 10.10.18.19
first souce : 10.10.10.180
dest: 10.10.18.19
and after hitting the destination to reach souce address it will alter
source: 10.10.18.19
destination: 10.10.10.180 (where in ACL is der here at SVI saying if source is 10.10.18.0/24 destination is 10.10.10.180 drop)
so the packet is dropping
this is what happening right
and how this is achieved in FIrewall . we have a firewall (asa 5510) how can this accomplished.
regards
srikanth
12-13-2011 05:30 AM
Hi,
but can you explain me how this is not possible..
for my understanding
IP communication is bidirectional
we have a firewall (asa 5510) how can this accomplished.
an ASA will make this possible by permitting only traffic from a high security level interface to a low security level interface but will block traffic from a low security level going to a high security level unless you apply an ACL to permit such traffic.
As it is stateful it will let replies to traffic coming from high to low pass through the low security level interface.
you will have to inspect ICMP in global policy to achieve this or configure an ACL for letting ICMP replies go from low to high.
So in your case you could put VLAN 99 in a high security level interface and VLAN 50 on a lower security level interface.
Regards.
Alain
12-13-2011 05:28 AM
Srikanth,
Just so I understand correctly, can you clarify your intent regarding "one way communication"?
1) Are you trying to achieve a truly one-way path so that traffic can enter vlan 50, but NOT exit (maybe you have a network sniffer on vlan 50 that does not need to communicate back)
or
2) Do you have servers on vlan 50 that should only ACCEPT incoming connections, but NOT be allowed to initiate connections back to vlan 99? (not really one-way as there is still return traffic)
Based on your ping example it seems that you might be trying to achieve truly one-way (by your example of dropping the ping return traffic), but I want to be sure I understand you correctly.
Thanks!
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide