how can i deny access in one direction, but not the other? (pkt)

meimeimei · ‎12-02-2023

Hi,

I'm sorry to bother you all, but I'm having some issues with the network I'm building in CISCO Packet Tracer.

In my network, I need to deny access from one direction but not the other. For instance, in my network, I need the VLAN 20 (172.16.8.0 /24), VLAN 30 (172.16.9.0 /24), VLAN 40 (172.16.10.0 /24) and VLAN 50 (172.16.0.0 /21) to be blocked from accessing the VLAN 10 (172.16.11.0 /27), but not vice versa; 172.16.11.0 /27 must still be able to ping those networks, but those networks must not be able to ping 172.16.11.0 /27.

I initially tried doing this using ACLs on the MainRouter, but that did not work at all as packets were able to ping in both directions even when I added ACL to a particular interface.

Does anyone know what my issue might be, and what should I do in order to fix it? Should i use other network security protocol? Any help would be much appreciated.

MHM Cisco World · ‎12-02-2023

For icmp

Allow icmp reply and deny all other traffic

Apply this acl with IN direction.

MHM

Gopinath_Pigili · ‎12-02-2023

If you want to deny access only in one direction...you should configure Extended acl. Standard acl blocks two-way communication and Extended acl blocks one way communication...

Here is the sample configuration....

ip access-list 101 deny icmp any 172.16.11.0 0.0.0.31 eq echo

ip access-list 101 permit ip any any

ip access-group 101 in

Best regards
******* If This Helps, Please Rate *******

meimeimei · ‎12-02-2023

in what interface should i put the ACL? is it in interface g0/1.10? the one who handles the VLAN 10?

MHM Cisco World · ‎12-02-2023

Apply to interface that direct connect to subnet you want to protect.

MHM

meimeimei · ‎12-02-2023

I tried that but it is still pinging in both direction.

MHM Cisco World · ‎12-02-2023

Share config I will check

MHM

meimeimei · ‎12-02-2023

here:

!

ip dhcp pool Administration

network 172.16.11.0 255.255.255.224

default-router 172.16.11.1

dns-server 172.16.12.3

ip dhcp pool 4thFloor

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 172.16.12.3

ip dhcp pool Guest

network 172.16.0.0 255.255.248.0

default-router 172.16.0.1

dns-server 172.16.12.3

!

no ip cef

no ipv6 cef

!

license udi pid CISCO2911/K9 sn FTX1524R5DB-

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/1

no ip address

ip access-group FILTER-ADMINISTRATION-VLAN-ACCESS in

duplex auto

speed auto

!

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip address 172.16.11.1 255.255.255.224

ip helper-address 172.16.11.1

ip access-group FILTER-ADMINISTRATION-VLAN-ACCESS in

!

interface GigabitEthernet0/1.40

encapsulation dot1Q 40

ip address 172.16.10.1 255.255.255.0

ip helper-address 172.16.10.1

!

interface GigabitEthernet0/1.50

encapsulation dot1Q 50

ip address 172.16.0.1 255.255.248.0

ip helper-address 172.16.0.1

!

interface GigabitEthernet0/2

ip address 172.16.12.1 255.255.255.0

ip access-group DENY-OTHER-VLANS-TO-ACCESS-THE-FILE-SERVER out

duplex auto

speed auto

!

interface Serial0/0/0

description Link to 2ndFloor_Router

ip address 172.16.11.34 255.255.255.252

!

interface Serial0/0/1

description Link to 3rdFloor_Router

ip address 172.16.11.38 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

interface Vlan50

mac-address 0060.70e5.0a01

no ip address

!

router rip

version 2

network 172.16.0.0

!

ip classless

!

ip flow-export version 9

!

ip access-list extended ONLY-ALLOW-VLAN-20-TO-ACCESS-THE-FILE-SERVER

permit ip 172.16.8.0 0.0.0.255 host 172.16.12.2

ip access-list extended DENY-OTHER-VLANS-TO-ACCESS-THE-FILE-SERVER

deny ip 172.16.0.0 0.0.7.255 host 172.16.12.2

deny ip 172.16.9.0 0.0.0.255 host 172.16.12.2

deny ip 172.16.10.0 0.0.0.255 host 172.16.12.2

deny ip 172.16.11.0 0.0.0.31 host 172.16.12.2

permit ip any any

ip access-list extended FILTER-ADMINISTRATION-VLAN-ACCESS

deny ip 172.16.0.0 0.0.7.255 172.16.11.0 0.0.0.31

deny ip 172.16.8.0 0.0.0.255 172.16.11.0 0.0.0.31

deny ip 172.16.9.0 0.0.0.255 172.16.11.0 0.0.0.31

deny ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.31

permit ip 172.16.11.0 0.0.0.31 172.16.0.0 0.0.7.255

permit ip 172.16.11.0 0.0.0.31 172.16.8.0 0.0.0.255

permit ip 172.16.11.0 0.0.0.31 172.16.9.0 0.0.0.255

permit ip 172.16.11.0 0.0.0.31 172.16.10.0 0.0.0.255

deny ip any any

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

MHM Cisco World · ‎12-02-2023

I think I get issue here

Change direction to be

OUT not IN

MHM

meimeimei · ‎12-02-2023

to the int g0/1.10, right? it fails.

Gopinath_Pigili · ‎12-02-2023

the interface where traffic from source entering to the router...

Best regards
******* If This Helps, Please Rate *******

Gopinath_Pigili · ‎12-02-2023

Extended ACL's should be configured on closer to source...and apply on interface g0/1.10 in bound direction...

if sources(vlan 20,30,40,& 50) are available/connected on two different routers(2nd floor and 3rd floor)....you should configure two extended acl's... one... acl on each router....

Please post the configuration...it might be helpful....

Best regards
******* If This Helps, Please Rate *******

meimeimei · ‎12-02-2023

here's the configuration for the main router:

ip dhcp pool Administration

network 172.16.11.0 255.255.255.224

default-router 172.16.11.1

dns-server 172.16.12.3

ip dhcp pool 4thFloor

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 172.16.12.3

ip dhcp pool Guest

network 172.16.0.0 255.255.248.0

default-router 172.16.0.1

dns-server 172.16.12.3

!

no ip cef

no ipv6 cef

!

license udi pid CISCO2911/K9 sn FTX1524R5DB-

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/1

no ip address

ip access-group FILTER-ADMINISTRATION-VLAN-ACCESS in

duplex auto

speed auto

!

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip address 172.16.11.1 255.255.255.224

ip helper-address 172.16.11.1

ip access-group FILTER-ADMINISTRATION-VLAN-ACCESS in

!

interface GigabitEthernet0/1.40

encapsulation dot1Q 40

ip address 172.16.10.1 255.255.255.0

ip helper-address 172.16.10.1

!

interface GigabitEthernet0/1.50

encapsulation dot1Q 50

ip address 172.16.0.1 255.255.248.0

ip helper-address 172.16.0.1

!

interface GigabitEthernet0/2

ip address 172.16.12.1 255.255.255.0

ip access-group DENY-OTHER-VLANS-TO-ACCESS-THE-FILE-SERVER out

duplex auto

speed auto

!

interface Serial0/0/0

description Link to 2ndFloor_Router

ip address 172.16.11.34 255.255.255.252

!

interface Serial0/0/1

description Link to 3rdFloor_Router

ip address 172.16.11.38 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

interface Vlan50

mac-address 0060.70e5.0a01

no ip address

!

router rip

version 2

network 172.16.0.0

!

ip classless

!

ip flow-export version 9

!

ip access-list extended ONLY-ALLOW-VLAN-20-TO-ACCESS-THE-FILE-SERVER

permit ip 172.16.8.0 0.0.0.255 host 172.16.12.2

ip access-list extended DENY-OTHER-VLANS-TO-ACCESS-THE-FILE-SERVER

deny ip 172.16.0.0 0.0.7.255 host 172.16.12.2

deny ip 172.16.9.0 0.0.0.255 host 172.16.12.2

deny ip 172.16.10.0 0.0.0.255 host 172.16.12.2

deny ip 172.16.11.0 0.0.0.31 host 172.16.12.2

permit ip any any

ip access-list extended FILTER-ADMINISTRATION-VLAN-ACCESS

deny ip 172.16.0.0 0.0.7.255 172.16.11.0 0.0.0.31

deny ip 172.16.8.0 0.0.0.255 172.16.11.0 0.0.0.31

deny ip 172.16.9.0 0.0.0.255 172.16.11.0 0.0.0.31

deny ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.31

permit ip 172.16.11.0 0.0.0.31 172.16.0.0 0.0.7.255

permit ip 172.16.11.0 0.0.0.31 172.16.8.0 0.0.0.255

permit ip 172.16.11.0 0.0.0.31 172.16.9.0 0.0.0.255

permit ip 172.16.11.0 0.0.0.31 172.16.10.0 0.0.0.255

deny ip any any

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Gopinath_Pigili · ‎12-02-2023

Remove all acl's if you configured any other routers...for example..
Router(config)# no access-list 101
Router(config-if)# no ip access-group 101 in|out

implement following acl in 2nd Floor router....

ip access-list 101 deny icmp 172.16.8.0 0.0.0.255 172.16.9.0 0.0.0.31 eq icmp
ip access-list 101 permit ip any any

Interface Gig0/1
ip access-group 101 in

Note: There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.

after that try to ping from vlan 20 pc to vlan 10 pc you shouldn't see the communication...
but when you try to ping from vlan 10 pc to vlan 20 you should see successful communiation....

if you achive this for one vlan same way we can implement other vlans...

Best regards
******* If This Helps, Please Rate *******

meimeimei · ‎12-02-2023

the ping were still successful in both direction