09-08-2020 11:08 AM
Hello im confused trying to create a ACL...
I need to block traffic since 192.168.40.0/26 to 192.168.80.0/26
and i need to allow traffic from 192.168.80.0/26 to 192.168.40/26
but i don't undertand how can i do it, i tried put a ACL in R2 deny traffic from R1 but is not working
somebody can help me?
PKT is attachment
R1 en conf t hostname R1 ip dhcp excluded-address 192.168.40.1 192.168.40.10 ip dhcp pool LAN2 network 192.168.40.0 255.255.255.192 default-router 192.168.40.1 int s0/0/0 ip address 100.100.100.5 255.255.255.252 no shutdown int s0/1/0 ip address 100.100.100.10 255.255.255.252 no shutdown int g0/1 ip access-group 10 in ip address 192.168.40.1 255.255.255.192 no shutdown router ospf 2 router-id 1.1.1.1 network 192.168.40.1 0.0.0.63 area 0 network 100.100.100.5 0.0.0.3 area 0 network 100.100.100.10 0.0.0.3 area 0 end wr R2 en conf t hostname R2 ip dhcp excluded-address 192.168.80.1 192.168.80.10 ip dhcp pool LAN2 network 192.168.80.0 255.255.255.192 default-router 192.168.80.1 int s0/0/1 ip address 100.100.100.14 255.255.255.252 no shutdown int s0/1/0 ip address 100.100.100.9 255.255.255.252 no shutdown int g0/1 ip access-group 10 in ip address 192.168.80.1 255.255.255.192 no shutdown router ospf 2 router-id 2.2.2.2 network 192.168.80.1 0.0.0.63 area 0 network 100.100.100.9 0.0.0.3 area 0 network 100.100.100.14 0.0.0.3 area 0 end wr R3 en conf t hostname R3 access-list 101 permit tcp 192.168.20.0 0.0.0.255 host 192.168.80.2 eq 20 access-list 101 permit tcp 192.168.20.0 0.0.0.255 host 192.168.80.2 eq 21 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool LAN2 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 int s0/0/0 ip address 100.100.100.6 255.255.255.252 no shutdown int s0/0/1 ip address 100.100.100.13 255.255.255.252 no shutdown int g0/1 ip access-group 101 in ip address 192.168.20.1 255.255.255.0 no shutdown router ospf 2 router-id 3.3.3.3 network 192.168.20.1 0.0.0.255 area 0 network 100.100.100.6 0.0.0.3 area 0 network 100.100.100.13 0.0.0.3 area 0 end wr
Solved! Go to Solution.
09-08-2020 11:54 PM
Hello,
use the config below on R2. This stops 192.168.40.0/26 from opening connections to 192.168.80.0/26 by blocking SYN from 192.168.80.0/26.
R2
ip access-list extended BLOCK_TCP_SYN_ACL
permit tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.63 ack
deny tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.63 syn
permit ip any any
!
interface GigabitEthernet0/1
ip address 192.168.80.1 255.255.255.192
ip access-group BLOCK_TCP_SYN_ACL in
09-09-2020 07:45 AM - edited 09-09-2020 07:46 AM
Hello,
here is the ZBF configured on R1 (zipped .pkt file attached). I had to use a 2811 router since that one supports the Zone Based Firewall.
 
					
				
		
09-08-2020 12:05 PM
Hello,
--> I need to block traffic since 192.168.40.0/26 to 192.168.80.0/26 and i need to allow traffic from 192.168.80.0/26 to 192.168.40/26
This is not possible with an ACL. At most, you can do that for TCP traffic. What you need is a Zone Based Firewall. Check if your IOS supports that:
R1(config)#zone ?
Is that command available ?
09-08-2020 12:29 PM
I specifically need to block traffic from 40.0 to 80.0 but allow incoming traffic from 80.0 to 40.0
 
09-08-2020 12:42 PM
Hello,
understood. You can only do one way ACLs for TCP traffic. Otherwise, you need a Zone Based Firewall. Is TCP traffic sufficient ?
09-08-2020 12:45 PM
Yes TCP is enough but i don't know how to do it really
09-08-2020 11:54 PM
Hello,
use the config below on R2. This stops 192.168.40.0/26 from opening connections to 192.168.80.0/26 by blocking SYN from 192.168.80.0/26.
R2
ip access-list extended BLOCK_TCP_SYN_ACL
permit tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.63 ack
deny tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.63 syn
permit ip any any
!
interface GigabitEthernet0/1
ip address 192.168.80.1 255.255.255.192
ip access-group BLOCK_TCP_SYN_ACL in
09-09-2020 04:40 AM
Ey boss, I tried, but im getting this....
09-09-2020 04:52 AM
That is because you are using Packet Tracer, which does not feature a full, real IOS. Do you need to do this in Packet Tracer ? Are the zone based firewall commands available ?
09-09-2020 05:37 AM
Yes i need packet... but honestly i don't how to make this using ZBF as you say
09-09-2020 07:45 AM - edited 09-09-2020 07:46 AM
09-09-2020 08:20 AM
Thanks a lot for take the time to help me ! im very thankfull
09-09-2020 08:07 AM
Hello,
your router supports the below, which is exactly the same as what I posted before (one way access only):
R2
interface GigabitEthernet0/1
ip access-group TCP_ACL in
!
ip access-list extended TCP_ACL
permit tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.3 established
09-08-2020 12:56 PM - edited 09-09-2020 05:56 AM
I've haven't studied what you've done, but in general, most network application traffic depends on some form of two way communication. I.e. if you fully block one direction's traffic, most network application will fail and so it will appear traffic is being blocked in both directions.
So, assuming you really want to block one direction's unsolicited traffic, you can "monitor" outbound traffic and look for "matching" responding traffic. For example you might allow inbound (from "outside") traffic whose addresses (and optionally UDP/TCP ports) are the reverse of packets not seen too long ago going "out". This is known as stateful matching, and normally, a basic function of firewalls.
Cisco routers often support a very rudimentary form of stateful matching call reflexive ACLs.
For TCP traffic, you can also consider allowing in TCP packets whose response bit is set.
09-09-2020 04:41 AM
Thanks to take the time to give me a structure answer
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide