ACL for two interfaces on Firewall

LANSK — Fri, 21 Feb 2020 17:55:10 GMT

Hello guys,

I am configuring a Firewall (transparent mood) in between PLC and Field Bus Module ( Modbus to TCP, port 502 ).

PLC and Field Bus Module are in the same ip range and both are connected to firewall port 1 and 2.

Firewall's port 1 and port 2 is part of same security level and traffic is permitted to travel within the same security level.

also created BVI interface and added firewall's port 1 and 2 in to the same BVI group.

This is what i would like to achieve:

I want to block only port 1 can talk to field bus module and port 2 can communicate via PLC.

So i wrote the bellow ACL.

01. created an Object network and added the hosts :

object network PERMIT_PROD
host 192.168.1.100
object network PERMIT_PROD2
host 192.168.1.101
!
!

02. Access -List :

access-list ACL_PERMIT_PROD extended permit ip object PERMIT_PROD host 192.168.1.1
access-list ACL_PERMIT_PROD2 extended permit ip object PERMIT_PROD2 host 192.168.1.1
!
!
access-group ACL_PERMIT_PROD in interface prod
access-group ACL_PERMIT_PROD2 in interface prod2
!
!

prod = nameif for interface 1

prod2 =nameif for interface 2

My Issues :

01. Firewall is not restricting the port 1 for 192.168.1.100 and Port 2 192.168.1.101. It can use vise versa.

question: Is that caused by BVI interface ?

is there any work around without removing it ?

02. To make it communicate only via modbus (port 502 ) do i have to modify the ACL as bellow ? :

access-list ACL_PERMIT_PROD2 extended permit ip object PERMIT_PROD2 host 192.168.1.1 eq 502

Thank you for your time.

Re: ACL for two interfaces on Firewall

hslai — Fri, 21 Feb 2020 03:34:35 GMT

I moved your post to Network Security.

I would suggest you to follow the info at

Basic Troubleshooting For traffic throu... - Cisco Community

topic Re: ACL for two interfaces on Firewall in Network Security

ACL for two interfaces on Firewall

Re: ACL for two interfaces on Firewall