Re: ACL-Allow a host to access internet and block local NW

shahulhameed · ‎03-11-2020

Dear Friends

I want to allow a host (10.10.10.2) to grand access internet and block to reach local Network (10.10.20.0 & 10.20.20.0). Same time other hosts(10.10.20.0 & 10.20.20.0) in the local Network need to allow to access that host (10.10.10.2).

I have created a ACL as below

access-list 101

10 permit ip any host 10.10.10.2

20 deny ip host 10.10.10.2 10.10.0.0 0.0.255.255

30 deny ip host 10.10.10.2 10.20.0.0 0.0.255.255

40 permit ip host 10.10.10.2 any

The host able to access internet but local network are not able to reach the host.

Please advise

Thanks and Regards,

Hameed

balaji.bandi · ‎03-11-2020

You should also required allowed list from network 10.10.20.0 & 10.20.20.0 to reach 10.10.10.2 IP address.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shahulhameed · ‎03-11-2020

Hello Balaji

I have added 10 permit ip any host 10.10.10.2 in the first line. So it should allow all Network to reach the host.
Am I right?

Georg Pauwen · ‎03-11-2020

Hello,

--> I want to allow a host (10.10.10.2) to grand access internet and block to reach local Network (10.10.20.0 & 10.20.20.0). Same time other hosts(10.10.20.0 & 10.20.20.0) in the local Network need to allow to access that host (10.10.10.2).

If you want to have one way access (allow traffic from host 10.10.10.2 to local networks but not vice versa) you could use the 'established' keyword:

access-list 101 permit tcp <source> <mask> <destination> <mask> established

shahulhameed · ‎03-11-2020

Hello Georg

"If you want to have one way access (allow traffic from host 10.10.10.2 to local networks but not vice versa) you could use the 'established' keyword:"

I want allow local Network to access the host 10.10.10.2 but not vice verse.

I have added the line in the access list but its not working

access-list 101 permit tcp 10.10.20.0 0.0.255.255 host 10.10.10.2 established

Georg Pauwen · ‎03-11-2020

Hello,

what subnet masks are you using for your networks:

10.10.10.0/?
10.10.20.0/?
10.20.20.0/?

The access list you configured:

access-list 101 permit tcp 10.10.20.0 0.0.255.255 host 10.10.10.2 established

cannot work because you are trying to permit traffic from with the same subnet 10.10.0.0/16. You need to make sure all your networks have /24 mask and change the access list to:

access-list 101 permit tcp 10.10.20.0 0.0.0.255 host 10.10.10.2 established

shahulhameed · ‎03-11-2020

Hello

Sorry Friends I make typo

01. Host 10.10.10.2
02. Network 10.10.20.0/24
03. Network 10.10.30.0/24
04. Network 10.10.40.0/24
05. Network 10.20.20.0/24

my access-list is
access-list 101 permit tcp 10.10.0.0 0.0.255.255 host 10.10.10.2 established

I have some network in the same range so the host need to block to access other network.

But this is not working.

I duty time finished now. I will check tomorrow and update.

Cristian Matei · ‎03-11-2020

Hi,

For the unidirectional traffic flow, there are two possible use-cases, which one fits your needs?

1. only one side can initiate the traffic (10.10.20.0 and 10.20.20.0 towards 10.10.10.2), but in the end once the session is established (like TCP), flow is allowed both ways.

2. only one side can send traffic to the other side (10.10.20.0 and 10.20.20.0 towards 10.10.10.2), while reverse traffic (as a response or as a flow initiation) is denied.

Based on what you need, different solutions apply.

Regards,

Cristian Matei.

shahulhameed · ‎03-11-2020

I am looking for this

2. only one side can send traffic to the other side (10.10.20.0 and 10.20.20.0 towards 10.10.10.2), while reverse traffic (as a response or as a flow initiation) is denied.