10-05-2011 03:22 AM - edited 03-07-2019 02:37 AM
Hi everyone,
There is a schema about what I would like to do :
http://www.casimages.com/img.php?i=111005120451502784.jpg
To resume, I would like to know if it's possible to create one/some ACLs that would allow me to :
from B to A, only HTTPS, SSH and ICMP
from A to B, nothing except reply to HTTPS, SSH and ICMP request.
Reflexive ACL are not available on my platform (4506 sup 7 E).
A and B are on differents Vlan, each vlan has an SVI.
If you have any idea, I would appreciate it
Thanks
Alex.
Solved! Go to Solution.
10-05-2011 03:53 AM
Alex
Reflexive acls are the way to go as you say but because you have specific ports only you can use standard acls eg.
A = 192.168.5.0/24 - vlan 10
B = 192.168.6.0/24 - vlan 11
access-list 101 permit tcp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 443
access-list 101 permit tcp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 22
access-list 101 permit icmp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 echo-request
access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit tcp 192.168.5.0 0.0.0.255 eq 443 192.168.6.0 0.0.0.255
access-list 102 permit tcp 192.168.5.0 0.0.0.255 eq 22 192.168.6.0 0.0.0.255
access-list 102 permit icmp 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 echo-reply
access-list 102 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
int vlan 10
ip access-group 102 in
int vlan 11
ip access-group 101 in
bear in mind if you want traffic from either vlan 10 or 11 to go to other subnets you will need to permit these at the end of the acl or use a permit ip any any catchall
Jon
10-05-2011 03:53 AM
Alex
Reflexive acls are the way to go as you say but because you have specific ports only you can use standard acls eg.
A = 192.168.5.0/24 - vlan 10
B = 192.168.6.0/24 - vlan 11
access-list 101 permit tcp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 443
access-list 101 permit tcp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 22
access-list 101 permit icmp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 echo-request
access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit tcp 192.168.5.0 0.0.0.255 eq 443 192.168.6.0 0.0.0.255
access-list 102 permit tcp 192.168.5.0 0.0.0.255 eq 22 192.168.6.0 0.0.0.255
access-list 102 permit icmp 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 echo-reply
access-list 102 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
int vlan 10
ip access-group 102 in
int vlan 11
ip access-group 101 in
bear in mind if you want traffic from either vlan 10 or 11 to go to other subnets you will need to permit these at the end of the acl or use a permit ip any any catchall
Jon
10-05-2011 08:56 AM
Thank you very much Jon, it's working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide