12-14-2021 03:42 AM
Hello,
I have 1 scenario in which there are 2 Vlans A and B, configured with IP Address, I want to stop communication from Users from A to B but want to allow from B to A. How to achieve it.
Solved! Go to Solution.
12-14-2021 03:31 PM
As both @Seb Rupik and @Richard Burts have noted, generally the best solution (for "inside" to "outside" allowed, but not "unexpected" converse) would be to use a FW, because it's stateful.
Two other Cisco features, that could possibly support such a requirement (as they too are stateful) might be usage of reflexive ACLs (see https://learningnetwork.cisco.com/s/article/reflexive-acls) or NAT/PAT. The former is somewhat a "poor man's" FW. The latter is usually not thought of in a security context, but can also, more or less, allow inside to outside, yet block much unexpected outside to inside.
12-14-2021 03:58 AM
Hi there,
Using a ACL is not really an option in the scenario, even including the established keyword to permit return traffic from A to B will only work for TCP. Your best bet is to look at using IOS ZBF or place a dedicated firewall between the two VLANs.
cheers,
Seb.
12-14-2021 10:14 AM
What the original poster asks is challenging. If B should be able to communicate with A then what it means is that A must be able to respond to B but A should not be able to originate traffic to B. The best way to achieve this is to use something that does stateful inspection of the traffic, such as a firewall. ZBF comes close but I believe that the best solution is a firewall.
12-14-2021 03:31 PM
As both @Seb Rupik and @Richard Burts have noted, generally the best solution (for "inside" to "outside" allowed, but not "unexpected" converse) would be to use a FW, because it's stateful.
Two other Cisco features, that could possibly support such a requirement (as they too are stateful) might be usage of reflexive ACLs (see https://learningnetwork.cisco.com/s/article/reflexive-acls) or NAT/PAT. The former is somewhat a "poor man's" FW. The latter is usually not thought of in a security context, but can also, more or less, allow inside to outside, yet block much unexpected outside to inside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide