Re: Enquiry about PACL

anthonypoon · ‎10-15-2018

Hi experts,

If I want to deny Site B terminal (10.116.123.244) access internal networks (173.0.0.0/8, 10.114.0.0/16, 10.115.0.0/16, 10.116.0.0/16, 10.150.0.0/16) accept Internet through Site A Internet Firewall, can the following PACL works?

Config t
ip access-list extended simple-ip-acl
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
end
int gi2/31 ; the switchport where the terminal is connecting to
ip access-group simple-ip-acl in

Thanks.

Alex Pfeil · ‎10-15-2018

You would have to add permit ip any any at the end.
Please rate helpful posts.

anthonypoon · ‎10-29-2018

Hi,

I apply the following PACL on the testing interface of edge switch of site B, however, it does not work.

ip access-list extended simple-ip-acl
permit ip host 10.116.123.244 host 10.115.85.102 ; Site A Checkpoint firewall
permit ip host 10.116.123.244 host 10.115.85.1; Site A GW (Core switch)
permit ip host 10.116.123.244 host 10.116.85.1; Site B GW (Core switch)
permit ip host 10.116.123.244 host 10.115.11.1; Site A AD & DNS
permit ip host 10.116.123.244 host 10.115.11.2; Site A AD & DNS
permit ip host 10.115.85.102 host 10.116.123.244; Returned traffic
deny ip any any
end
int gi1/0/15; the testing notebeook connecting to
ip access-group simple-ip-acl in

Does PACL only filter L2 traffic and do we have to apply ACL to L3 interface? Please advise.

Step 1: Define the extend ACL
ip access-list extended simple-ip-acl-block-internal-allow-internet
! allow required ip
permit ip host 10.6.10.244 host 10.115.85.102
permit ip host 10.6.10.244 host 10.115.85.1
permit ip host 10.6.10.244 host 10.116.85.1
permit ip host 10.6.10.244 host 10.115.11.1
permit ip host 10.6.10.244 host 10.115.11.2
permit ip host 10.115.85.102 host 10.6.10.244
!
! block private ranges
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
!
Permit ip any any

Step 2: Create New VLAN501
SiteB-30-2960X-7>sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- --
1 default active
500 VLAN0500 active Gi1/0/2, Gi1/0/10, Gi1/0/11
Gi1/0/12, Gi1/0/13, Gi1/0/14
Gi1/0/15, Gi1/0/16, Gi1/0/17
Gi1/0/18, Gi1/0/19, Gi1/0/20
Gi1/0/22, Gi1/0/23, Gi1/0/24
501 VLAN0501 active

Step 3: Create VLAN501 VRF & Apply the ACL to VLAN501.
Should I created VLAN501 VRF interface on 6504? I should apply the ACL to VLAN501 as below, right?
interface Vlan501
; VLAN for credit card terminal
ip address 10.6.10.0 255.255.255.0
ip access-group simple-ip-acl-block-internal-allow-internet out

Step 4: Change SiteB-30-2960X-7 Gi1/0/15 to VLAN501 and assign IP 10.6.10.24 to the testing notebook .

mkazam001 · ‎11-04-2018

I think this thread will help your understanding:

https://learningnetwork.cisco.com/thread/54754

regards

azam

paul driver · ‎11-04-2018

Hello

I would suggest apply the acl on the L3 svi of the host your trying to negate access to, This way if this host roams within that vlan wherever it connects to it will be negated based on the RACL applied to its vlan and not the PACL applied to its L2 interface

ip access-list extended simple-ip-acl
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
permit ip any any

int vlan x/x
ip access-group name simple-ip-acl IN

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul