Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
1
Helpful
6
Replies

Extended IP ACL

Adrian Ardelean
Level 1
Level 1

‎04-04-2012 02:52 AM - edited ‎03-07-2019 05:57 AM

Hello,

Let's say I have Gi0/0 - 172.16.0.0/27 and Gi0/2 - 172.16.2.0/23.

I need to access everything from first network to second but nothing from 172.16.2.0/23 to 172.16.0.0/27.

I'm very beginner, I can't figure the ACL..

Thanks !

Labels:
0 Helpful
6 Replies 6

Zeeshan Siddiqui
Level 1
Level 1

‎04-04-2012 03:26 AM

Hi Adrian,

Please go through following link

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Configure ACL below

conf t

IP access-list extended test

deny ip 172.16.2.0/23 172.16.0.0/27  (you may have to change to wild card mask depending on the router / L3 switch you are using)

int Gi0/0 

ip access-group test in

The ACL is going to match the soucre and destination ip address when it enters interface Gi0/0

This will block traffic coming from 172.16.2.0/23 when it hit your Gi0/0 interface

They are a number of ways of applying an ACL please go through URL If you are new to ACL I would test in a test LAB and not in production

I hope this answer your questions

0 Helpful

Adrian Ardelean
Level 1
Level 1
In response to Zeeshan Siddiqui

‎04-04-2012 03:47 AM

I did this way:

..

deny ip 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31

...

the problem is  I lost connection from 172.16.0.0/27 to router

If I ping the gateway (172.16.0.1) from a windows host it gives me:

Destination net unreachable

0 Helpful

Zeeshan Siddiqui
Level 1
Level 1
In response to Adrian Ardelean

‎04-04-2012 04:16 AM

Hi Adrian,

Are you usinging a L3 switch here ?

Can you post a basic diagram of your setup including gateways and where you test PC is connected (I believ this is a Lab envirement) and remove the config mentioned above as it will block all traffic when you match following criteria

172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31 entering Gi0/0.

For example if you ping 172.16.2.5 from host 172.16.0.5

The traffic will leave Gi0/0 interface and hit 172.16.2.5  the ip header will look like  [ source 172.16.0.5 | destination 172.16.2.5 ]

Now with the return traffic the header will look like [ source 172.16.2.5 | destination 172.16.0.5 ] and will be blocked with ACL

in short the ACL mentioned above will block traffic when the IP header contains a source address 172.16.2.x and destination header 172.16.0.x hitting the Gi0/0 interface (in) direction

0 Helpful

Adrian Ardelean
Level 1
Level 1
In response to Zeeshan Siddiqui

‎04-04-2012 04:25 AM

Hi Zeeshan,

It's a 2921 router and it's intended to use for network segmentation. For the moment, yes, it's in a testing env., I have two PCs connected to each interface.

PC1: 172.16.0.3     GW: 172.16.0.1 (Gi0/0)

PC2: 172.16.2.100  GW: 172.16.2.1 (Gi0/2)

The Gi0/0-3 are L3 but I also have a EHWIC-D-8ESG with L2 ports (gi0/1/0-7) that I will use later.

Thanks

0 Helpful

Neeraj Arora
Level 3
Level 3

‎04-04-2012 08:35 AM

Adrian,

I can give you a solution...well more of an option to accomplish what you are looking for but this will only work for TCP connections, not for ICMP or UDP. They would either be allowed or blocked

Use the Established keyword in ACL which will only allow response traffic from 172.16.2.0/23 subnet going to 172.16.0.0/27, nothing initiated from this 172.16.2.0/23 subnet would be allowed

Config will look like this:

access-list 100 permit tcp 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31 established

access-list 100 deny tcp 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31     --> this will allow UDP and ICMP initiated from this subnet

access-list 100 deny ip 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31   --> This will block everything including UDP & ICMP which is initiated from this subnet, so use either one of these lines in the ACL

access-list 100 permit ip 172.16.2.0 0.0.1.255 any     --> To allow traffic going towards internet, if you want to allow that for future

interface gig0/2

ip access-group 100 in

Apart from this, you have an option of using CBAC functionality in routers but that is dependant on the IOS being used and honestly I am not an expert in that, so would suggest you to dig more into this topic before thinking of implementing it

Hope the above option helps

Neeraj

Zeeshan Siddiqui
Level 1
Level 1
In response to Neeraj Arora

‎04-04-2012 09:32 AM

Hi Adrian,

I completely agree with Neraaj

I have actually done some testing in a Lab enviroment using a 3750 you have to use the establish keyword for one way traffic for TCP.

You can try with suggestion below if Neeraj advice does not full fill your requirements

Another option would be Reflexive ACL again it depend on your router model / IOS unfortunately can not test in my lab as it is not supported on a 3750.

The URL below can be helpfull

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card