11-25-2019 03:39 AM
Hi, i have a problem with a simulation on Cisco packet tracer: i have to use only the ACL (not VPN or other, it's a school work) in the attached diagram. The 192.168.1.0 subnet can only talk to 192.168.2.50 server and the same, host that are in 192.168.2.50 subnet can only talk only 192.168.1.50 server. I have already tried with different ACL configuration, all the routes are static and i can't put the servers in a other subnet. I attached the project file .pkt if you need help me, Thanks.
11-26-2019 05:18 AM
Network traffic will be filtered when packets arrive and when they return to their source.
If you allow traffic to a remote server and deny the rest of the remote network, you are also denying responses from the local server to the remote network.
Therefore, in addition to allowing traffic to the remote server, you must also allow responses from the local server to the remote network:
router1
access-list 100 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.50
access-list 100 permit ip host 192.168.1.50 192.168.2.0 0.0.0.255 <-- allows local server response
router 2
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.50
access-list 100 permit ip host 192.168.2.50 192.168.1.0 0.0.0.255 <-- allows local server response
Regards
11-30-2019 01:26 PM
According to the Topology, The Network traffic should be blocked based on particular Subnet/Network. So, Extended Access-List should be used here.
For R2's Perspective,
R2#
ip access-list extended ONLY_ALLOW_1X_NETWORK
access-list permit 192.168.1.0 0.0.0.255 host 192.168.2.50
access-list deny 192.168.1.254 0.0.0.255 host 192.168.2.50
access-list deny 10.0.0.0 0.255.255.255 host 192.168.2.50
access-list deny 192.168.2.0 0.0.0.255 host 192.168.2.50
Placement of Access-List on R2
# interface fa/serial x/x <----------The point at (10.10.10.2)
ip access-group ONLY_ALLOW_1X_NETWORK in
For R1's Perspective,
R1#
ip access-list extended ONLY_ALLOW_2X_NETWORK
access-list permit 192.168.2.0 0.0.0.255 host 192.168.1.50
access-list deny 192.168.2.254 0.0.0.255 host 192.168.1.50
access-list deny 10.0.0.0 0.255.255.255 host 192.168.1.50
access-list deny 192.168.1.0 0.0.0.255 host 192.168.1.50
Placement of Access-List on R1
# interface fa/serial x/x <----------The point at (10.10.10.1)
ip access-group ONLY_ALLOW_2X_NETWORK in
So, based on above configuration ONLY Host PC will allow to access ONLY AND ONLY the other/remote side of Servers Respectively. Neither Hosts in the same zone/Network Nor WAN link (10.0.0.0 Network) will get access.
As being specific, the configuration is written accordingly otherwise, implicitly Deny will be applied in the end, by default.
I hope that helps. Further suggestions are always welcomed.
DM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide