Attached is a basic representation of my network topology.
Before I attempt to apply any ACL's to the live environment, I have duplicated the basic topology in Packet Tracer,
so I can modify with the config without having any impact.
What I am trying to accomplish is to prevent all hosts on Network B, gaining access to Network A, but still allowing them access to Server X and other areas, not shown in the topology. Whilst still allowing hosts on Network A access to Server X and Network B.
If I apply a standard ACL to Fa 0/0.4, as follows:-
int fa 0/0.4
ip access-group Block_DD out
ip access-list standard Block_DD
deny 172.16.0.0 0.0.3.255
traffic from Network B is blocked, but the traffic from Network A across to Network B is also blocked,
which is not what I am trying to accomplish.
If I apply an extended ACL to Fa 0/0.3, as follows:-
int fa 0/0.3
ip access-group Block_DD in
ip access-list extended Block_DD
deny ip 172.16.0.0 0.0.3.255 192.168.54.0 0.0.0.255
permit ip any any
the same problem occurs where traffic from Network B is blocked, but the traffic from Network A across to Network B is also blocked, which again, is not what I am trying to accomplish.
Could someone please advise where I am going wrong or whether I am omitting some obvious permit/deny statements?
Neither of the access lists you have used are blocking traffic from Network A to Network B. The reason they don't work and appear to block this traffic is because you are blocking in the direction from Network B to Network A, and communication between two devices depends on a two-way path.
If you only have one or two devices on network B that need to be accessable from Network A, then the simplest way to achieve your requirements is by your second extended ACL on the input of Fa0/0.3, but before the deny statement you need to add one or more permits to allow traffic between the particular host(s) on Network B and the specific host(s)on Network A.
If however you need to be able to access everything on Network B from Network A, then you cannot limit traffic in the opposite direction in this way.
As the others have said the problem you have is that if you deny traffic from B to A then the return traffic from a connection initiated from A to B is also blocked.
However you can use reflexive acl's to overcome this. Reflexive acl's will allow you to say "allow traffic from A -> B and return traffic from B -> A that is part of the same connection" but "do not allow traffic to be initiated from network B -> A. See this link for details -
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...