Solved: Re: ACL Confusion

sinergycena · ‎09-08-2020

Hello im confused trying to create a ACL...

I need to block traffic since 192.168.40.0/26 to 192.168.80.0/26

and i need to allow traffic from 192.168.80.0/26 to 192.168.40/26

but i don't undertand how can i do it, i tried put a ACL in R2 deny traffic from R1 but is not working

somebody can help me?

PKT is attachment

R1

en
conf t
hostname R1
ip dhcp excluded-address 192.168.40.1 192.168.40.10
ip dhcp pool LAN2
 network 192.168.40.0 255.255.255.192
 default-router 192.168.40.1
int s0/0/0
 ip address 100.100.100.5 255.255.255.252
 no shutdown
int s0/1/0
 ip address 100.100.100.10 255.255.255.252
 no shutdown
int g0/1
 ip access-group 10 in
 ip address 192.168.40.1 255.255.255.192
 no shutdown
router ospf 2
router-id 1.1.1.1
 network 192.168.40.1 0.0.0.63 area 0
 network 100.100.100.5 0.0.0.3 area 0
 network 100.100.100.10 0.0.0.3 area 0
end
wr



R2

en
conf t
hostname R2
ip dhcp excluded-address 192.168.80.1 192.168.80.10
ip dhcp pool LAN2
 network 192.168.80.0 255.255.255.192
 default-router 192.168.80.1
int s0/0/1
 ip address 100.100.100.14 255.255.255.252
 no shutdown
int s0/1/0
 ip address 100.100.100.9 255.255.255.252
 no shutdown
int g0/1
 ip access-group 10 in
 ip address 192.168.80.1 255.255.255.192
 no shutdown
router ospf 2
router-id 2.2.2.2
 network 192.168.80.1 0.0.0.63 area 0
 network 100.100.100.9 0.0.0.3 area 0
 network 100.100.100.14 0.0.0.3 area 0
end
wr


R3



en
conf t
hostname R3
access-list 101 permit tcp 192.168.20.0 0.0.0.255 host 192.168.80.2 eq 20
access-list 101 permit tcp 192.168.20.0 0.0.0.255 host 192.168.80.2 eq 21
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool LAN2
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
int s0/0/0
 ip address 100.100.100.6 255.255.255.252
 no shutdown
int s0/0/1
 ip address 100.100.100.13 255.255.255.252
 no shutdown
int g0/1
 ip access-group 101 in
 ip address 192.168.20.1 255.255.255.0
 no shutdown
router ospf 2
router-id 3.3.3.3
 network 192.168.20.1 0.0.0.255 area 0
 network 100.100.100.6 0.0.0.3 area 0
 network 100.100.100.13 0.0.0.3 area 0
end
wr

Georg Pauwen · ‎09-08-2020

Hello,

use the config below on R2. This stops 192.168.40.0/26 from opening connections to 192.168.80.0/26 by blocking SYN from 192.168.80.0/26.

R2

ip access-list extended BLOCK_TCP_SYN_ACL

permit tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.63 ack

deny tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.63 syn

permit ip any any

!

interface GigabitEthernet0/1
ip address 192.168.80.1 255.255.255.192
ip access-group BLOCK_TCP_SYN_ACL in

View solution in original post

Georg Pauwen · ‎09-09-2020

Hello,

here is the ZBF configured on R1 (zipped .pkt file attached). I had to use a 2811 router since that one supports the Zone Based Firewall.

View solution in original post

Georg Pauwen · ‎09-08-2020

Hello,

--> I need to block traffic since 192.168.40.0/26 to 192.168.80.0/26 and i need to allow traffic from 192.168.80.0/26 to 192.168.40/26

This is not possible with an ACL. At most, you can do that for TCP traffic. What you need is a Zone Based Firewall. Check if your IOS supports that:

R1(config)#zone ?

Is that command available ?

sinergycena · ‎09-08-2020

I specifically need to block traffic from 40.0 to 80.0 but allow incoming traffic from 80.0 to 40.0

Georg Pauwen · ‎09-08-2020

Hello,

understood. You can only do one way ACLs for TCP traffic. Otherwise, you need a Zone Based Firewall. Is TCP traffic sufficient ?

sinergycena · ‎09-08-2020

Yes TCP is enough but i don't know how to do it really

Georg Pauwen · ‎09-08-2020

Hello,

use the config below on R2. This stops 192.168.40.0/26 from opening connections to 192.168.80.0/26 by blocking SYN from 192.168.80.0/26.

R2

ip access-list extended BLOCK_TCP_SYN_ACL

permit tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.63 ack

deny tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.63 syn

permit ip any any

!

interface GigabitEthernet0/1
ip address 192.168.80.1 255.255.255.192
ip access-group BLOCK_TCP_SYN_ACL in

sinergycena · ‎09-09-2020

Ey boss, I tried, but im getting this....

Georg Pauwen · ‎09-09-2020

That is because you are using Packet Tracer, which does not feature a full, real IOS. Do you need to do this in Packet Tracer ? Are the zone based firewall commands available ?

sinergycena · ‎09-09-2020

Yes i need packet... but honestly i don't how to make this using ZBF as you say

Georg Pauwen · ‎09-09-2020

Hello,

here is the ZBF configured on R1 (zipped .pkt file attached). I had to use a 2811 router since that one supports the Zone Based Firewall.

sinergycena · ‎09-09-2020

Thanks a lot for take the time to help me ! im very thankfull

Georg Pauwen · ‎09-09-2020

Hello,

your router supports the below, which is exactly the same as what I posted before (one way access only):

R2

interface GigabitEthernet0/1
ip access-group TCP_ACL in
!
ip access-list extended TCP_ACL
permit tcp 192.168.40.0 0.0.0.63 192.168.80.0 0.0.0.3 established

Joseph W. Doherty · ‎09-08-2020

I've haven't studied what you've done, but in general, most network application traffic depends on some form of two way communication. I.e. if you fully block one direction's traffic, most network application will fail and so it will appear traffic is being blocked in both directions.

So, assuming you really want to block one direction's unsolicited traffic, you can "monitor" outbound traffic and look for "matching" responding traffic. For example you might allow inbound (from "outside") traffic whose addresses (and optionally UDP/TCP ports) are the reverse of packets not seen too long ago going "out". This is known as stateful matching, and normally, a basic function of firewalls.

Cisco routers often support a very rudimentary form of stateful matching call reflexive ACLs.

For TCP traffic, you can also consider allowing in TCP packets whose response bit is set.

sinergycena · ‎09-09-2020

Thanks to take the time to give me a structure answer