Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
7
Replies

Access Control List Config

Hawkgromit
Level 1
Level 1

‎05-08-2009 04:36 AM - edited ‎03-04-2019 04:41 AM

Hello,

Attached is a basic representation of my network topology.

Before I attempt to apply any ACL's to the live environment, I have duplicated the basic topology in Packet Tracer,

so I can modify with the config without having any impact.

What I am trying to accomplish is to prevent all hosts on Network B, gaining access to Network A, but still allowing them access to Server X and other areas, not shown in the topology. Whilst still allowing hosts on Network A access to Server X and Network B.

If I apply a standard ACL to Fa 0/0.4, as follows:-

int fa 0/0.4

ip access-group Block_DD out

ip access-list standard Block_DD

deny 172.16.0.0 0.0.3.255

permit any

traffic from Network B is blocked, but the traffic from Network A across to Network B is also blocked,

which is not what I am trying to accomplish.

If I apply an extended ACL to Fa 0/0.3, as follows:-

int fa 0/0.3

ip access-group Block_DD in

ip access-list extended Block_DD

deny ip 172.16.0.0 0.0.3.255 192.168.54.0 0.0.0.255

permit ip any any

the same problem occurs where traffic from Network B is blocked, but the traffic from Network A across to Network B is also blocked, which again, is not what I am trying to accomplish.

Could someone please advise where I am going wrong or whether I am omitting some obvious permit/deny statements?

All guidance greatly appreciated.

Cheers

Darrell

Labels:
20376-ACL Test Network.vsd
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎05-08-2009 04:51 AM

Darrell

Could you post a .jpg rather than a visio file

Jon

0 Helpful

donlerche
Level 1
Level 1

‎05-08-2009 06:17 AM

Darrell,

Neither of the access lists you have used are blocking traffic from Network A to Network B. The reason they don't work and appear to block this traffic is because you are blocking in the direction from Network B to Network A, and communication between two devices depends on a two-way path.

If you only have one or two devices on network B that need to be accessable from Network A, then the simplest way to achieve your requirements is by your second extended ACL on the input of Fa0/0.3, but before the deny statement you need to add one or more permits to allow traffic between the particular host(s) on Network B and the specific host(s)on Network A.

If however you need to be able to access everything on Network B from Network A, then you cannot limit traffic in the opposite direction in this way.

Hope this helps

Don

0 Helpful

Hawkgromit
Level 1
Level 1

‎05-08-2009 06:54 AM

JPEG uploaded, as requested.

31 KB
0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to Hawkgromit

‎05-08-2009 09:11 AM

Darrell,

Edit: Sorry I missed reading your question. You want to allow only A to access B but not for B to access A. Right?

It can't be done with ACL. Because it's a stateless protocol. A will be blocked when traffic going back from B to A(Blocked by ACL as well). That's why you cannot go from A to B and vise versa.

HTH,

Toshi

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Hawkgromit

‎05-08-2009 11:23 AM

Darrell

As the others have said the problem you have is that if you deny traffic from B to A then the return traffic from a connection initiated from A to B is also blocked.

However you can use reflexive acl's to overcome this. Reflexive acl's will allow you to say "allow traffic from A -> B and return traffic from B -> A that is part of the same connection" but "do not allow traffic to be initiated from network B -> A. See this link for details -

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html#wp1000897

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎05-08-2009 12:48 PM

Darrell

I did a quick lab setup. I used tcp traffic as an example but if you look at the reference in my previous post you can see how to do udp and icmp as well.

On the 6500 switch

==================

ip reflexive-list timeout 120

ip access-list extended inbound

permit tcp any any reflect tcptraffic

ip access-list extended outbound

evaluate tcptraffic

int fa0/0.4

ip access-group inbound in

ip access-group outbound out

The above config will allow all hosts on A to connect to server X and any hosts on B using any TCP application. It will allow return traffic from server X and network B to A.

It will not allow any traffic to be initiated from network B to network A nor from server X to network A.

Hopefully this example should give you a good start and you should be able to modify to meet your requirements.

Jon

0 Helpful

Hawkgromit
Level 1
Level 1
In response to Jon Marshall

‎05-12-2009 03:28 AM

Hi Jon,

Thanks for your very valuable input. I will certainly read up on the reflexive access control lists.

I did try to modify my existing packet tracer lab, but the IOS version does not support reflexive-lists, so will have to try other lab options to play with the config.

Darrell

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card