I have 2 networks. (vlan routing) X and Y. I want these:
X can reach Y
Y can not reach X
I have to apply Y's interface.
This looks like very simple but, When X's want to reach Y, X can not return from Y.
Please help.. Thank you
I think this should work... apply on Y interface out...
access-list 101 deny ip y-subnet y-mask x-subnet x-mask
access-list 101 permit ip any any
What do you think...
Rate if it helps....
It is simple to solve this if you use tcp as the transport protocol.
access-list 101 permit tcp y-subnet y-mask x-subnet x-mask established
Apply this to the Y interface as "in".
The key here is the "established" keyword:
The access-list will only allow tcp packets where ACK or RST bits set from Y-subnet to X-subnet.
The effect of this will be the following:
Hosts on X-subnet will be able to initiate tcp connections, hosts on Y-subnet will be able to reply (ACK bit set).
Hosts on Y-subnet will not be able to initiate connections to X-subnet because their initial tcp packet will not have the ACK bit set, so the access-list will filter these packets.
Try this. It should work.
I like the suggestion from Istvan. It addresses part of an issue that may not be obvious. When you have requirements that X should access Y but Y should not access X then you have difficulties in trying to do it with access lists because access lists do not generally distinguish between what is an attempt to initiate traffic and what is a response to traffic initiated from the other side. So when your access list has a deny with the Y address and mask as the source it will deny both traffic intiated from Y to X and will also deny traffic that is response from Y to X.
The TCP established is the one thing in access lists that does make this distinction. But it only does it for TCP traffic. To solve your requirements that X should access Y (and receive responses from Y) you need stateful inspection. If you have the right feature set in the code running on your router you should be able to configure ip inspect (or CBAC) to achieve what you have as your requirement.
i have solved the problem via tcp "estableshed" command.
Y's in interface:
deny ip any any
permit tcp any any established
Thank you for all..
except in reverse order, right?
This got me thinking... I wonder if there is a hack that could be run on a compromised "Y" webserver that would spoof an ACK bit set that would allow access (DOS, etc?) into the secure X network.
Yes, you are right. You can manually change the ACK bit to 1 than you can pass router. A statefull firewall is better but i use this in Local Network at backbone.
If my suggestion with the "established" keyword was succesful for you, could you please rate my post, thereby giving an evaluation to my help.