Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL question

I have 2 subnets 10.x and 1.x with a router between them

I have a pix on the 1.x network that does the NATing for both the 10 and 1 networks to access the internet.

I want 2 computers from the 10.x network to be able to access the 1.x computers but do not want the 1.x computers to access the 10.x computers

here is my access list that i have right now

interface Ethernet0

ip address 192.168.1.254 255.255.255.0

ip access-group 100 out

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

interface Ethernet1

ip address 192.168.10.1 255.255.255.0

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1 permanent

logging buffered 4096 debugging

no logging console

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any host 192.168.1.1

access-list 100 permit ip any host 192.168.1.199

access-list 100 permit ip host 192.168.10.29 192.168.1.0 0.0.0.255

access-list 100 permit ip host 192.168.10.35 192.168.1.0 0.0.0.255

access-list 100 permit ip any 192.168.100.0 0.0.0.255

access-list 100 deny ip any 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

I was thinking i need to create a 101 access-group deny any INCOMING

Any ideas

Thanks

Bill

4 REPLIES

Re: ACL question

Hi Bill,

It depends on what IOS do you have on the router.

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL icmp

interface Ethernet1

ip access-group 101 in

ip inspect FIREWALL out

If you can enter the lines below, you have an IOS that supports statefull firewall, and also you got yourself the first statefull firewall.

To better understand how it works try:

http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdcbac.html#wp1002187

Please rate if this helped.

Regards,

Daniel

New Member

Re: ACL question

Thanks for the reply its a old router about 5 years old. not relying on the fire wall rules

would

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

get my what i need?

deying incoming traffic from the 1.x network , would this stop my internet traffic where , the pix is on the 1.x its ip 1.1 and how does the access-list 101 permit ip any any need to be there?

Thanks again so much

Re: ACL question

If the IOS is too old, the ACL 101 will not solve your problem, since it will block both the traffic from 1.x to 10.x and the reverse.

There is a way to allow the traffic but is only for TCP traffic:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 established

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

Basically, this ACL will allow only the established TCP communication (the one initiated by 10.x) to pass. The traffic initiated by 1.x to 10.x will be blocked.

Please note that this works only for TCP traffic.

For UDP, you need to either deny all or permit all.

Please rate if this helped.

Regards,

Daniel

Re: ACL question

Daniel is right

i just got confised

Hoever

Daniel ACL will allow all 192.168.10.0 to communicate with the 1.x network

while as i can see from his requiremnt he wants only two PC to have that access!!

access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.10.29 established

access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.10.35 established

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

and apply it on

interface Ethernet0

ip access-group 101 in

this way will more precise

for your information

it could be don more spesific and secure if u have IOS firewall and configure IOS firewall ZONE-BASED

good luck

98
Views
3
Helpful
4
Replies