03-11-2020 02:13 AM
Dear Friends
I want to allow a host (10.10.10.2) to grand access internet and block to reach local Network (10.10.20.0 & 10.20.20.0). Same time other hosts(10.10.20.0 & 10.20.20.0) in the local Network need to allow to access that host (10.10.10.2).
I have created a ACL as below
access-list 101
10 permit ip any host 10.10.10.2
20 deny ip host 10.10.10.2 10.10.0.0 0.0.255.255
30 deny ip host 10.10.10.2 10.20.0.0 0.0.255.255
40 permit ip host 10.10.10.2 any
The host able to access internet but local network are not able to reach the host.
Please advise
Thanks and Regards,
Hameed
03-11-2020 02:33 AM
You should also required allowed list from network 10.10.20.0 & 10.20.20.0 to reach 10.10.10.2 IP address.
03-11-2020 02:42 AM
03-11-2020 02:54 AM
Hello,
--> I want to allow a host (10.10.10.2) to grand access internet and block to reach local Network (10.10.20.0 & 10.20.20.0). Same time other hosts(10.10.20.0 & 10.20.20.0) in the local Network need to allow to access that host (10.10.10.2).
If you want to have one way access (allow traffic from host 10.10.10.2 to local networks but not vice versa) you could use the 'established' keyword:
access-list 101 permit tcp <source> <mask> <destination> <mask> established
03-11-2020 03:24 AM
03-11-2020 05:54 AM
Hello,
what subnet masks are you using for your networks:
10.10.10.0/?
10.10.20.0/?
10.20.20.0/?
The access list you configured:
access-list 101 permit tcp 10.10.20.0 0.0.255.255 host 10.10.10.2 established
cannot work because you are trying to permit traffic from with the same subnet 10.10.0.0/16. You need to make sure all your networks have /24 mask and change the access list to:
access-list 101 permit tcp 10.10.20.0 0.0.0.255 host 10.10.10.2 established
03-11-2020 08:10 AM
03-11-2020 04:04 AM
Hi,
For the unidirectional traffic flow, there are two possible use-cases, which one fits your needs?
1. only one side can initiate the traffic (10.10.20.0 and 10.20.20.0 towards 10.10.10.2), but in the end once the session is established (like TCP), flow is allowed both ways.
2. only one side can send traffic to the other side (10.10.20.0 and 10.20.20.0 towards 10.10.10.2), while reverse traffic (as a response or as a flow initiation) is denied.
Based on what you need, different solutions apply.
Regards,
Cristian Matei.
03-11-2020 04:24 AM
03-11-2020 04:35 AM - edited 03-11-2020 04:37 AM
have you tried the option suggested with established.
since traffic can initiate from other network to x.2 and x.2 can not access anything.
here is reference guide if you looking to refer :
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
once upgrade the ACL and tested let us know out come.
03-11-2020 11:15 AM
Hi,
And apply the ACL inbound on the interface which is the default gateway for 10.10.10.2
ip access-list extended INGRESS_VLANX
deny ip host 10.10.10.2 10.10.20.0 0.0.0.255
deny ip host 10.10.10.2 10.20.20.0 0.0.0.255
permit ip any any
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide