Solved: ACL question

NetMaxKar · ‎11-12-2005

Hi. I have the next situation: some device "Comp A" is connected to the Router and it is in Vlan 40. I made some restrictions to access by the next ACL's:

Comp A <-------VLAN40----->Router<---Some NEtwork---->

Copm A: 10.195.192.2

Router(Vlan40): 10.195.192.1

ip access-list extended munbank-in

permit tcp host 10.195.192.2 eq 580 host 10.195.35.1

permit tcp host 10.195.192.2 eq 580 host 10.195.1.2

permit icmp host 10.195.192.2 host 10.195.9.25

permit icmp host 10.195.192.2 host 10.195.1.2

deny ip any any

ip access-list extended munbank-out

permit tcp host 10.195.35.1 host 10.195.192.2 eq 580

permit tcp host 10.195.1.2 host 10.195.192.2 eq 580

permit icmp host 10.195.9.25 host 10.195.192.2

permit icmp host 10.195.1.2 host 10.195.192.2

deny ip any any

interface Vlan40

ip address 10.195.192.1 255.255.255.252

ip access-group munbank-in in

ip access-group munbank-out out

Now I need to configure almost the same access conditions, but with one requirement: hosts 10.195.35.1, 10.195.1.2, 10.195.9.25 must have access to the "Comp A", but "Comp A" must not have any access. So the thing is that need to configure some one-way communication. How to solve it?

PS Thanks a lot for such forum!

Georg Pauwen · ‎11-13-2005

Hello,

in that case, the ´established´ keyword might be a solution for you. Assuming that the IP address of CompA is 10.195.10.1, in this access list:

access-list 101 permit tcp host 10.195.10.1 host 10.195.9.25 established

access-list 101 permit tcp host 10.195.10.1 host 10.195.9.1 established

traffic from CompA to 10.195.9.25 and 10.195.9.1 is only allowed if the session has been previously established by 10.195.9.25 and/or 10.195.9.1.

Does that help you any further ?

Regards,

GP

View solution in original post

Richard Burts · ‎11-13-2005

Max

I am not sure that I really understand your question correctly. It seems to be saying that you have configured the access list restrictions and they are working ok. And now the requirements have changed and the two hosts need to be able to transmit to CompA and that CompA should not be able to send anything else back to them (one way traffic). Are there specific ports that will be used or is this traffic from the two hosts in general.

If that is the correct understanding then you count make this change in the inbound access list:

ip access-list extended munbank-in

permit ip host 10.195.192.2 host 10.195.35.1

permit ip host 10.195.192.2 host 10.195.1.2

permit icmp host 10.195.192.2 host 10.195.9.25

permit icmp host 10.195.192.2 host 10.195.1.2

deny ip any any

HTH

Rick

HTH

Rick

NetMaxKar · ‎11-13-2005

Thanks a lot, but it's a little bit incorrect understanding, let me clarify:

On Comp A there is some data. Comp A must NOT have any access to any networks on any ports! Comp A must think that it he is alone.

Hosts 10.195.35.1, 10.195.1.2 must have acces to the data on the "Comp A". They must be able to download the data from Copm A through the port tcp 580.

Hosts 10.195.9.25, 10.195.1.2 must be able to ping the Comp A for monitoring the connectivity.

So if I understand it's correctly then the initiators of the connection must be 9.25, 35.1, and 1.2 machines. The data from Comp A must be able to transfer only when above host are starting connection.

Georg Pauwen · ‎11-13-2005

Hello,

in that case, the ´established´ keyword might be a solution for you. Assuming that the IP address of CompA is 10.195.10.1, in this access list:

access-list 101 permit tcp host 10.195.10.1 host 10.195.9.25 established

access-list 101 permit tcp host 10.195.10.1 host 10.195.9.1 established

traffic from CompA to 10.195.9.25 and 10.195.9.1 is only allowed if the session has been previously established by 10.195.9.25 and/or 10.195.9.1.

Does that help you any further ?

Regards,

GP