11-12-2005 01:34 PM - edited 03-03-2019 12:47 AM
Hi. I have the next situation: some device "Comp A" is connected to the Router and it is in Vlan 40. I made some restrictions to access by the next ACL's:
Comp A <-------VLAN40----->Router<---Some NEtwork---->
Copm A: 10.195.192.2
Router(Vlan40): 10.195.192.1
ip access-list extended munbank-in
permit tcp host 10.195.192.2 eq 580 host 10.195.35.1
permit tcp host 10.195.192.2 eq 580 host 10.195.1.2
permit icmp host 10.195.192.2 host 10.195.9.25
permit icmp host 10.195.192.2 host 10.195.1.2
deny ip any any
ip access-list extended munbank-out
permit tcp host 10.195.35.1 host 10.195.192.2 eq 580
permit tcp host 10.195.1.2 host 10.195.192.2 eq 580
permit icmp host 10.195.9.25 host 10.195.192.2
permit icmp host 10.195.1.2 host 10.195.192.2
deny ip any any
interface Vlan40
ip address 10.195.192.1 255.255.255.252
ip access-group munbank-in in
ip access-group munbank-out out
Now I need to configure almost the same access conditions, but with one requirement: hosts 10.195.35.1, 10.195.1.2, 10.195.9.25 must have access to the "Comp A", but "Comp A" must not have any access. So the thing is that need to configure some one-way communication. How to solve it?
PS Thanks a lot for such forum!
Solved! Go to Solution.
11-13-2005 01:22 PM
Hello,
in that case, the ´established´ keyword might be a solution for you. Assuming that the IP address of CompA is 10.195.10.1, in this access list:
access-list 101 permit tcp host 10.195.10.1 host 10.195.9.25 established
access-list 101 permit tcp host 10.195.10.1 host 10.195.9.1 established
traffic from CompA to 10.195.9.25 and 10.195.9.1 is only allowed if the session has been previously established by 10.195.9.25 and/or 10.195.9.1.
Does that help you any further ?
Regards,
GP
11-13-2005 10:36 AM
Max
I am not sure that I really understand your question correctly. It seems to be saying that you have configured the access list restrictions and they are working ok. And now the requirements have changed and the two hosts need to be able to transmit to CompA and that CompA should not be able to send anything else back to them (one way traffic). Are there specific ports that will be used or is this traffic from the two hosts in general.
If that is the correct understanding then you count make this change in the inbound access list:
ip access-list extended munbank-in
permit ip host 10.195.192.2 host 10.195.35.1
permit ip host 10.195.192.2 host 10.195.1.2
permit icmp host 10.195.192.2 host 10.195.9.25
permit icmp host 10.195.192.2 host 10.195.1.2
deny ip any any
HTH
Rick
11-13-2005 01:06 PM
Thanks a lot, but it's a little bit incorrect understanding, let me clarify:
On Comp A there is some data. Comp A must NOT have any access to any networks on any ports! Comp A must think that it he is alone.
Hosts 10.195.35.1, 10.195.1.2 must have acces to the data on the "Comp A". They must be able to download the data from Copm A through the port tcp 580.
Hosts 10.195.9.25, 10.195.1.2 must be able to ping the Comp A for monitoring the connectivity.
So if I understand it's correctly then the initiators of the connection must be 9.25, 35.1, and 1.2 machines. The data from Comp A must be able to transfer only when above host are starting connection.
11-13-2005 01:22 PM
Hello,
in that case, the ´established´ keyword might be a solution for you. Assuming that the IP address of CompA is 10.195.10.1, in this access list:
access-list 101 permit tcp host 10.195.10.1 host 10.195.9.25 established
access-list 101 permit tcp host 10.195.10.1 host 10.195.9.1 established
traffic from CompA to 10.195.9.25 and 10.195.9.1 is only allowed if the session has been previously established by 10.195.9.25 and/or 10.195.9.1.
Does that help you any further ?
Regards,
GP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide