Re: ACCESS LIST PROBLEM

Muhammed AKYUZ · ‎02-13-2008

Hi

I have 2 networks. (vlan routing) X and Y. I want these:

X can reach Y

Y can not reach X

I have to apply Y's interface.

This looks like very simple but, When X's want to reach Y, X can not return from Y.

Please help.. Thank you

aijaz802 · ‎02-13-2008

Hi,

I think this should work... apply on Y interface out...

access-list 101 deny ip y-subnet y-mask x-subnet x-mask

access-list 101 permit ip any any

What do you think...

Rate if it helps....

Regards,

*aijaz*

Goutam Sanyal · ‎02-13-2008

hi,

put the access-list vice-versa.

Goutam

Pls rate if it works

kzhen · ‎02-13-2008

int vlan y

ip access-group 101 in

access-list 101 deny ip y-subnet y-mask x-subnet x-mask

access-list 101 permit ip any any

Istvan_Rabai · ‎02-13-2008

Hi Muhammed,

It is simple to solve this if you use tcp as the transport protocol.

access-list 101 permit tcp y-subnet y-mask x-subnet x-mask established

Apply this to the Y interface as "in".

The key here is the "established" keyword:

The access-list will only allow tcp packets where ACK or RST bits set from Y-subnet to X-subnet.

The effect of this will be the following:

Hosts on X-subnet will be able to initiate tcp connections, hosts on Y-subnet will be able to reply (ACK bit set).

Hosts on Y-subnet will not be able to initiate connections to X-subnet because their initial tcp packet will not have the ACK bit set, so the access-list will filter these packets.

Try this. It should work.

Cheers:

Istvan

Richard Burts · ‎02-13-2008

Muhammed

I like the suggestion from Istvan. It addresses part of an issue that may not be obvious. When you have requirements that X should access Y but Y should not access X then you have difficulties in trying to do it with access lists because access lists do not generally distinguish between what is an attempt to initiate traffic and what is a response to traffic initiated from the other side. So when your access list has a deny with the Y address and mask as the source it will deny both traffic intiated from Y to X and will also deny traffic that is response from Y to X.

The TCP established is the one thing in access lists that does make this distinction. But it only does it for TCP traffic. To solve your requirements that X should access Y (and receive responses from Y) you need stateful inspection. If you have the right feature set in the code running on your router you should be able to configure ip inspect (or CBAC) to achieve what you have as your requirement.

HTH

Rick

HTH

Rick

Muhammed AKYUZ · ‎02-13-2008

Hi,

i have solved the problem via tcp "estableshed" command.

Solution:

Y's in interface:

deny ip any any

permit tcp any any established

Thank you for all..

dongdongliu · ‎02-14-2008

based on state(context), make router as a firewall

ncglass · ‎02-14-2008

except in reverse order, right?

This got me thinking... I wonder if there is a hack that could be run on a compromised "Y" webserver that would spoof an ACK bit set that would allow access (DOS, etc?) into the secure X network.

Muhammed AKYUZ · ‎02-14-2008

Yes, you are right. You can manually change the ACK bit to 1 than you can pass router. A statefull firewall is better but i use this in Local Network at backbone.

Istvan_Rabai · ‎02-14-2008

Hi Muhammed,

If my suggestion with the "established" keyword was succesful for you, could you please rate my post, thereby giving an evaluation to my help.

Many thanks:

Istvan