Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
2
Replies

ACL extended ip protocol Problem

federico chinaglia
Level 1
Level 1

‎11-25-2019 03:39 AM

Hi, i have a problem with a simulation on Cisco packet tracer: i have to use only the ACL (not VPN or other, it's a school work) in the attached diagram. The 192.168.1.0 subnet can only talk to 192.168.2.50 server and the same, host that are in 192.168.2.50 subnet can only talk only 192.168.1.50 server. I have already tried with different ACL configuration, all the routes are static and i can't put the servers in a other subnet. I attached the project file .pkt if you need help me, Thanks.help.JPG

Labels:
0 Helpful
2 Replies 2

luis_cordova
VIP Alumni
VIP Alumni

‎11-26-2019 05:18 AM

Hi @federico chinaglia 

 

Network traffic will be filtered when packets arrive and when they return to their source.

If you allow traffic to a remote server and deny the rest of the remote network, you are also denying responses from the local server to the remote network.

Therefore, in addition to allowing traffic to the remote server, you must also allow responses from the local server to the remote network:

 

router1

access-list 100 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.50

access-list 100 permit ip host 192.168.1.50 192.168.2.0 0.0.0.255 <-- allows local server response

 

router 2

access-list 100 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.50

access-list 100 permit ip host 192.168.2.50 192.168.1.0 0.0.0.255 <-- allows local server response

 

Regards

0 Helpful

DM32830067
Level 1
Level 1

‎11-30-2019 01:26 PM

According to the Topology, The Network traffic should be blocked based on particular Subnet/Network. So, Extended Access-List should be used here.

 

For R2's Perspective,

R2#

ip access-list extended ONLY_ALLOW_1X_NETWORK

access-list permit 192.168.1.0 0.0.0.255 host 192.168.2.50

access-list deny 192.168.1.254 0.0.0.255 host 192.168.2.50

access-list deny 10.0.0.0 0.255.255.255 host 192.168.2.50

access-list deny 192.168.2.0 0.0.0.255 host 192.168.2.50

Placement of Access-List on R2

# interface fa/serial x/x <----------The point at (10.10.10.2)

ip access-group ONLY_ALLOW_1X_NETWORK in

 

For R1's Perspective,

R1#

ip access-list extended ONLY_ALLOW_2X_NETWORK

access-list permit 192.168.2.0 0.0.0.255 host 192.168.1.50

access-list deny 192.168.2.254 0.0.0.255 host 192.168.1.50

access-list deny 10.0.0.0 0.255.255.255 host 192.168.1.50

access-list deny 192.168.1.0 0.0.0.255 host 192.168.1.50

Placement of Access-List on R1

# interface fa/serial x/x <----------The point at (10.10.10.1)

ip access-group ONLY_ALLOW_2X_NETWORK in

So, based on above configuration ONLY Host PC will allow to access ONLY AND ONLY the other/remote side of Servers Respectively. Neither Hosts in the same zone/Network Nor WAN link (10.0.0.0 Network) will get access.

As being specific, the configuration is written accordingly otherwise, implicitly Deny will be applied in the end, by default.

I hope that helps. Further suggestions are always welcomed.

DM

0 Helpful
Customers Also Viewed These Support Documents