ACL traffic flow

tangt1 · ‎10-01-2019

Using packet tracer to test ACLs. I have a router int g0/0 connecting to LAN 10.1.1.0/24. On same router i have g0/1 connecting to LAN 11.1.3.0/24. I confirmed hosts in each LAN are able to ping across networks. I then placed an ACL (out) on interface g0/0. ACL is working as it is denying traffic from source ip 11.1.3.0/24 to 10.1.1.0/24. However I am unable to ping from hosts on 10.1.1.0/24 to hosts on 11.1.3.0/24. Do i need a ACL (in) on int g0/0 as well to allow traffic from 10.1.10/24 to 11.1.3.0/24?

10 deny 11.1.3.0 0.0.0.255

20 permit any

paul driver · ‎10-02-2019

Hello
Just to confirm you wish to deny 11.1.3.0/24 users from accessing 10.1.1.0/24 but you wish 10.1.1.0/24 users to be able access 11.1.3.0/24?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tangt1 · ‎10-02-2019

Correct. ACL works in denying 11.1.3.0/24 users to 10.1.1.0/24. However users in 10.1.1.0/24 can't communicate with 11.1.3.0/24 users. IE: unable to telnet or ping into a switch on 11.1.3.0/24 from host on 10.1.1.0/24

Deepak Kumar · ‎10-02-2019

Hi,

To allow one network to initiate traffic to another network and to receive responses from the second network while not allowing the second network to initiate traffic to the first network is a challenge. The optimum solution is to have some device that does a stateful inspection (such as a firewall) and ACL is not a stateful firewall.

The most simple alternative works for TCP (Only) traffic is using the "Established" traffic in the ACL but it is not supporting in PT.

access-list 101 permit tcp <source> <mask> <destination> <mask> established

So finally, it is not possible with PT.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎10-03-2019

Hello

try the example below:

access-list 100 permit tcp 11.1.3.0 0.0.0.255 any established

access-list 100 deny ip 11.1.3.0 0.0.0.255 any

access-list 100 permit ip any any

this will only allow establishied tcp return traffic too 10.1.1.0. from 11.1.3.0 but allow 10.1.1.0 to communicate

Int c/c

ip access-group100 out

another way would possibly use a reflective acl

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Deepak Kumar · ‎10-03-2019

Hi @paul driver

He is using PT and it is not supported on PT. :)

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎10-03-2019

@Deepak Kumar

Packet tracer has limited feature set so I am not at all surprised however the actual acl example would work on proper software

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎10-03-2019

Just to add to what the others have noted, don't know if PT supports, but reflexive ACLs support simple state. For example, an outbound ping would allow the ping reply yet an outside ping, or "unknown" ping reply would be blocked. This is a bit better than using EST flag alone and works for non-TCP traffic too.