Solved: Re: access control list help

reashad · ‎01-23-2021

I am wondering how to create an ACL for this scenario:

LAN-A connected to Router-1 on fa0/0 and subnet is 1.1.1.0/24

LAN-B connected to Router-1 on fa0/1 and subnet is 2.2.2.0/24

ACL requirement:

LAN-A can initiate and continue the conversation with LAN-B using all protocols (permit IP)
LAN-B should not initiate any conversation with LAN-A

reashad · ‎01-24-2021

I was able to solve this as well:


interface FastEthernet0/0             ##LAN-A
ip address 1.1.1.1 255.255.255.0

!
interface FastEthernet0/1             ##LAN-B
ip address 2.2.2.1 255.255.255.0
ip access-group inbound in
ip access-group outbound out
!
interface FastEthernet1/0             ##internet
ip address dhcp
!
ip access-list extended outbound-LAN-B
permit ip 1.1.1.0 0.0.0.255 any reflect Mirror timeout 30  ##permits and watches LAN-A's connection to LAN-B
permit ip any any                                          ##permits LAN-B to go to internet/other subnets
!
ip access-list extended inbound-LAN-B                      
evaluate Mirror                                            ##permits or denies based on self created Mirror ACL
deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255                ##denies LAN-Bs initial connection going out to LAN-A
permit ip any any                                         ##permits internet/other subnet traffic going to LAN-B

View solution in original post

balaji.bandi · ‎01-24-2021

Not sure what is the device hee and version of code running, you can look examples (reflex ACL)

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#reflexacl

You want to only TCP session look at below : (Allow Only Internal Networks to Initiate a TCP Session)

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TJ-20933766 · ‎01-24-2021

ip access-list extended INBOUND
 evaluate MIRROR
!
ip access-list extended OUTBOUND
 permit tcp any any reflect MIRROR
 permit udp any any reflect MIRROR
 permit icmp any any reflect MIRROR
!
interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 2.2.2.1 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out

Tested and verified in GNS3 using c2691 running version 12.4(25d)

reashad · ‎01-24-2021

I was able to solve this as well:


interface FastEthernet0/0             ##LAN-A
ip address 1.1.1.1 255.255.255.0

!
interface FastEthernet0/1             ##LAN-B
ip address 2.2.2.1 255.255.255.0
ip access-group inbound in
ip access-group outbound out
!
interface FastEthernet1/0             ##internet
ip address dhcp
!
ip access-list extended outbound-LAN-B
permit ip 1.1.1.0 0.0.0.255 any reflect Mirror timeout 30  ##permits and watches LAN-A's connection to LAN-B
permit ip any any                                          ##permits LAN-B to go to internet/other subnets
!
ip access-list extended inbound-LAN-B                      
evaluate Mirror                                            ##permits or denies based on self created Mirror ACL
deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255                ##denies LAN-Bs initial connection going out to LAN-A
permit ip any any                                         ##permits internet/other subnet traffic going to LAN-B

Reflect access control list help