cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2579
Views
0
Helpful
5
Replies

Block traffic between two interfaces with out ACL

lchomin
Level 1
Level 1

Hi,

I cannot figure out why my configuration is not working on Cisco 2921.
Basically I try to block traffic from interface DMZ to interface LAN.
On the DMZ interface I added extended ACL:

interface GigabitEthernet0/0.40

ip address 192.168.0.1 255.255.255.0

ip access-group DMZ-OUT out

The access list is very simple:

ip access-list extended DMZ-OUT

deny ip any 10.0.0.0 0.255.255.255

permit ip any any

I would assume that with such configuration all traffic from 192.168.0.0 network should be blocked to network 10.0.0.0 but apparently it's not as still I can ping hosts:

ping 10.0.0.2 source 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

What's wrong with my configuration?
Thank you in advance for your valuable help.

Best regards,
Lukasz

5 Replies 5

andrewswanson
Level 7
Level 7

If Gi0/0.40 is your DMZ interface and you want to filter traffic coming into that interface you should apply the ACL inbound:

ip access-group DMZ-OUT in

even with that in place you may run into issues testing the ACL when using ping 10.0.0.2 source 192.168.0.1 :


"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual."

Above quote from:

http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4

hth
Andy

Hi Andy,

In fact I want to filter traffic going out from the interface Gi0/0.40 but that doesn't work with my access list.

Thanks a lot for pointing out that testing on the router doesn't take ACLs into consideration. I wasn't aware of that.

Now I'm testing it from a host connected to DMZ network and the result is still the same.

Probably I could define in ACL on my local network (10.0.0.0) but according to best practices filtering should happen as close to the source as possible. So using out ACL on DMZ interface seems to be the best option which unfortunate doesn't work.

Any help why my configuration doesn't work highly appreciated.

Best regards,
Lukasz

Hi Lukasz
If you are looking to deny traffic from your DMZ network 192.168.0.0/24 reaching your LAN network 10.0.0.0/8 then the following should work:

interface GigabitEthernet0/0.40
 ip address 192.168.0.1 255.255.255.0
 ip access-group DMZ-IN in
!
ip access-list extended DMZ-IN
 deny ip any 10.0.0.0 0.255.255.255
 permit ip any any

hth
Andy

Hello,

you might want to try local policy routing with a route map.  In your case, it would look like this:

ip access-list extended DROP_DMZ_LAN
 deny ip any 10.0.0.0 0.255.255.255
 permit ip any any

route-map NO_DMZ_LAN permit 10
 match ip address DROP_DMZ_LAN

Router(config)#ip local policy route-map NO_DMZ_LAN

Hello

A more granular approach would be to to use Control Plane Policing (CoPP)

This will deny any control plane traffic (specified via an acl) destined to the routers interface to be dropped but will allow data plane traffic (transit traffic)

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

class-map match-any STANcm
match access-group 100

policy-map STANpm
class STANcm
drop

control-plane host
service-policy input STANpm

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card