Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Extended IP ACL

Hello,

Let's say I have Gi0/0 - 172.16.0.0/27 and Gi0/2 - 172.16.2.0/23.

I need to access everything from first network to second but nothing from 172.16.2.0/23 to 172.16.0.0/27.

I'm very beginner, I can't figure the ACL..

Thanks !

6 REPLIES
Community Member

Extended IP ACL

Hi Adrian,

Please go through following link

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Configure ACL below

conf t

IP access-list extended test

deny ip 172.16.2.0/23 172.16.0.0/27  (you may have to change to wild card mask depending on the router / L3 switch you are using)

int Gi0/0 

ip access-group test in

The ACL is going to match the soucre and destination ip address when it enters interface Gi0/0

This will block traffic coming from 172.16.2.0/23 when it hit your Gi0/0 interface

They are a number of ways of applying an ACL please go through URL If you are new to ACL I would test in a test LAB and not in production

I hope this answer your questions

Community Member

Extended IP ACL

I did this way:

..

deny ip 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31

...

the problem is  I lost connection from 172.16.0.0/27 to router

If I ping the gateway (172.16.0.1) from a windows host it gives me:

Destination net unreachable

Community Member

Extended IP ACL

Hi Adrian,

Are you usinging a L3 switch here ?

Can you post a basic diagram of your setup including gateways and where you test PC is connected (I believ this is a Lab envirement) and remove the config mentioned above as it will block all traffic when you match following criteria

172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31 entering Gi0/0.

For example if you ping 172.16.2.5 from host 172.16.0.5

The traffic will leave Gi0/0 interface and hit 172.16.2.5  the ip header will look like  [ source 172.16.0.5 | destination 172.16.2.5 ]

Now with the return traffic the header will look like [ source 172.16.2.5 | destination 172.16.0.5 ] and will be blocked with ACL

in short the ACL mentioned above will block traffic when the IP header contains a source address 172.16.2.x and destination header 172.16.0.x hitting the Gi0/0 interface (in) direction

Community Member

Extended IP ACL

Hi Zeeshan,

It's a 2921 router and it's intended to use for network segmentation. For the moment, yes, it's in a testing env., I have two PCs connected to each interface.

PC1: 172.16.0.3     GW: 172.16.0.1 (Gi0/0)

PC2: 172.16.2.100  GW: 172.16.2.1 (Gi0/2)

The Gi0/0-3 are L3 but I also have a EHWIC-D-8ESG with L2 ports (gi0/1/0-7) that I will use later.

Thanks

Extended IP ACL

Adrian,

I can give you a solution...well more of an option to accomplish what you are looking for but this will only work for TCP connections, not for ICMP or UDP. They would either be allowed or blocked

Use the Established keyword in ACL which will only allow response traffic from 172.16.2.0/23 subnet going to 172.16.0.0/27, nothing initiated from this 172.16.2.0/23 subnet would be allowed

Config will look like this:

access-list 100 permit tcp 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31 established

access-list 100 deny tcp 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31     --> this will allow UDP and ICMP initiated from this subnet

access-list 100 deny ip 172.16.2.0 0.0.1.255 172.16.0.0 0.0.0.31   --> This will block everything including UDP & ICMP which is initiated from this subnet, so use either one of these lines in the ACL

access-list 100 permit ip 172.16.2.0 0.0.1.255 any     --> To allow traffic going towards internet, if you want to allow that for future

interface gig0/2

ip access-group 100 in

Apart from this, you have an option of using CBAC functionality in routers but that is dependant on the IOS being used and honestly I am not an expert in that, so would suggest you to dig more into this topic before thinking of implementing it

Hope the above option helps

Neeraj

Community Member

Extended IP ACL

Hi Adrian,

I completely agree with Neraaj

I have actually done some testing in a Lab enviroment using a 3750 you have to use the establish keyword for one way traffic for TCP.

You can try with suggestion below if Neeraj advice does not full fill your requirements

Another option would be Reflexive ACL again it depend on your router model / IOS unfortunately can not test in my lab as it is not supported on a 3750.

The URL below can be helpfull

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html

288
Views
1
Helpful
6
Replies
CreatePlease to create content