https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5162788#M1115197 <P>There is no topology that illustrates what has been mentioned because there are no interfaces that I can assign as S &amp; D. The idea is that there are servers hosted in the cloud, and I want to create Denying between them.</P><P>Do I need to add:</P><P>Deny 20.200.108.10/32 as the source &amp; 20.200.92.20/32 as the destination</P><P>along with the following line</P><P>Deny 20.200.92.20/32 as the source &amp; 20.200.108.10/32 as the destination</P><P>According to my understanding of Policing, it should be sufficient to block from one side only, but this scenario has caused confusion for me. Are there scenarios that require blocking from both sides in the same way?</P> Mon, 19 Aug 2024 18:48:38 GMT Eng-Ruthless 2024-08-19T18:48:38Z https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5162783#M1115195 <P>Greetings,</P><P>I hope to help you clarify the concept of (ACL, Allowing and Denying).</P><P>I have a Cloud portal where I hosted Two Servers, and the support team added a section for me (Firewall), which is just an ACL.</P><P><U><STRONG>SRV1 IP: 20.200.92.20</STRONG></U><BR /><U><STRONG>SRV2 IP: 20.200.108.10</STRONG></U></P><P>However, I discovered that if I enter SRV2, I can access SRV1 through it.</P><P>So, from the Firewall section, I added a policy in the first place:</P><P><U><STRONG>Deny 20.200.108.10/32 as the source &amp; 20.200.92.20/32 as the destination</STRONG></U></P><P>But the connection is still active. The most important question is: do I need to add the following line?</P><P><U><STRONG>Deny 20.200.92.20/32 as the source &amp; 20.200.108.10/32 as the destination</STRONG></U></P><P>Please clarify, if possible.</P> Mon, 19 Aug 2024 18:37:38 GMT https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5162783#M1115195 Eng-Ruthless 2024-08-19T18:37:38Z https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5162785#M1115196 <P>Can you share topolgy&nbsp;</P> <P>MHM</P> Mon, 19 Aug 2024 18:43:47 GMT https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5162785#M1115196 MHM Cisco World 2024-08-19T18:43:47Z https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5162788#M1115197 <P>There is no topology that illustrates what has been mentioned because there are no interfaces that I can assign as S &amp; D. The idea is that there are servers hosted in the cloud, and I want to create Denying between them.</P><P>Do I need to add:</P><P>Deny 20.200.108.10/32 as the source &amp; 20.200.92.20/32 as the destination</P><P>along with the following line</P><P>Deny 20.200.92.20/32 as the source &amp; 20.200.108.10/32 as the destination</P><P>According to my understanding of Policing, it should be sufficient to block from one side only, but this scenario has caused confusion for me. Are there scenarios that require blocking from both sides in the same way?</P> Mon, 19 Aug 2024 18:48:38 GMT https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5162788#M1115197 Eng-Ruthless 2024-08-19T18:48:38Z https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5164695#M1115276 <P><SPAN>""However, I discovered that if I enter SRV2, I can access SRV1 through it.""</SPAN></P> <P><SPAN>How that can happened?&nbsp;</SPAN></P> <P><SPAN>The only thing make this allow is both server use GW different than FW' in such traffic between two server not filter by FW</SPAN></P> <P><SPAN>MHM</SPAN></P> <P>&nbsp;</P> Thu, 22 Aug 2024 20:37:50 GMT https://community.cisco.com/t5/network-security/acl-allowing-and-denying/m-p/5164695#M1115276 MHM Cisco World 2024-08-22T20:37:50Z