ACL Question

j-shearer · ‎10-31-2006

I am wondering if it is possible to allow traffic from one host to another in a particular direction, while denying the traffic from the another direction.

For example, VLAN10 contains a PC with the IP of 10.10.10.10/24. VLAN10's interface is 10.10.10.1/24. VLAN20 contains a PC with the IP address of 10.20.20.20/24. VLAN20's interface IP address is 10.20.20.1/24.

Basically, I want to be able to access 10.20.20.0/24 network from 10.10.10.10, but I do not want 10.20.20.20 to be able to access anything in the 10.10.10.0/24 network. What I am looking for is to be able to permit/deny access to certain networks based on what the source IP is.

I am confused on how to configure the ACLs - inbound, outbound or both on the VLAN interfaces.

Any info would be appreciated.

tdrais · ‎10-31-2006

You really cannot only allow traffic in only a single direction. The response to your session has to be allowed somehow.

In the most simple case for TCP you can use the established option.

permit 110 tcp 10.20.20.0 0.0.0.255 host 10.10.10.10 established

This is applied inbound on vlan20

This has limited use in that it only supports TCP and has trouble with applications that attempt to open a second session back to the orginating machine.

The other methods are reflexive access lists and Context-Based Access Control (CBAC) both of which are parts of firewall features and will depend on IOS levels and platform as to what is supported.