cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1982
Views
10
Helpful
3
Replies

Reflect access control list help

reashad
Level 1
Level 1

I am wondering how to create an ACL for this scenario:

LAN-A connected to Router-1 on fa0/0 and subnet  is 1.1.1.0/24

LAN-B connected to Router-1 on fa0/1 and subnet  is 2.2.2.0/24

 

ACL requirement:

  1. LAN-A can initiate and continue the conversation with LAN-B using all protocols (permit IP)
  2. LAN-B should not initiate any conversation with LAN-A
1 Accepted Solution

Accepted Solutions

I was able to solve this as well:


interface FastEthernet0/0 ##LAN-A
ip address 1.1.1.1 255.255.255.0

!
interface FastEthernet0/1 ##LAN-B
ip address 2.2.2.1 255.255.255.0
ip access-group inbound in
ip access-group outbound out
!
interface FastEthernet1/0 ##internet
ip address dhcp
!
ip access-list extended outbound-LAN-B
permit ip 1.1.1.0 0.0.0.255 any reflect Mirror timeout 30 ##permits and watches LAN-A's connection to LAN-B
permit ip any any ##permits LAN-B to go to internet/other subnets
!
ip access-list extended inbound-LAN-B
evaluate Mirror ##permits or denies based on self created Mirror ACL
deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 ##denies LAN-Bs initial connection going out to LAN-A
permit ip any any ##permits internet/other subnet traffic going to LAN-B

 

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Not sure what is the device hee and version of code running, you can look examples (reflex ACL)

 

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#reflexacl

 

You want to only TCP session look at below : (Allow Only Internal Networks to Initiate a TCP Session)

 

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TJ-20933766
Spotlight
Spotlight
ip access-list extended INBOUND
 evaluate MIRROR
!
ip access-list extended OUTBOUND
 permit tcp any any reflect MIRROR
 permit udp any any reflect MIRROR
 permit icmp any any reflect MIRROR
!
interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 2.2.2.1 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out

Tested and verified in GNS3 using c2691 running version 12.4(25d)

I was able to solve this as well:


interface FastEthernet0/0 ##LAN-A
ip address 1.1.1.1 255.255.255.0

!
interface FastEthernet0/1 ##LAN-B
ip address 2.2.2.1 255.255.255.0
ip access-group inbound in
ip access-group outbound out
!
interface FastEthernet1/0 ##internet
ip address dhcp
!
ip access-list extended outbound-LAN-B
permit ip 1.1.1.0 0.0.0.255 any reflect Mirror timeout 30 ##permits and watches LAN-A's connection to LAN-B
permit ip any any ##permits LAN-B to go to internet/other subnets
!
ip access-list extended inbound-LAN-B
evaluate Mirror ##permits or denies based on self created Mirror ACL
deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 ##denies LAN-Bs initial connection going out to LAN-A
permit ip any any ##permits internet/other subnet traffic going to LAN-B