10-15-2018 07:26 AM - edited 03-08-2019 04:23 PM
Hi experts,
If I want to deny Site B terminal (10.116.123.244) access internal networks (173.0.0.0/8, 10.114.0.0/16, 10.115.0.0/16, 10.116.0.0/16, 10.150.0.0/16) accept Internet through Site A Internet Firewall, can the following PACL works?
Config t
ip access-list extended simple-ip-acl
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
end
int gi2/31 ; the switchport where the terminal is connecting to
ip access-group simple-ip-acl in
Thanks.
10-15-2018 07:44 AM
10-29-2018 05:14 AM
Hi,
I apply the following PACL on the testing interface of edge switch of site B, however, it does not work.
ip access-list extended simple-ip-acl
permit ip host 10.116.123.244 host 10.115.85.102 ; Site A Checkpoint firewall
permit ip host 10.116.123.244 host 10.115.85.1; Site A GW (Core switch)
permit ip host 10.116.123.244 host 10.116.85.1; Site B GW (Core switch)
permit ip host 10.116.123.244 host 10.115.11.1; Site A AD & DNS
permit ip host 10.116.123.244 host 10.115.11.2; Site A AD & DNS
permit ip host 10.115.85.102 host 10.116.123.244; Returned traffic
deny ip any any
end
int gi1/0/15; the testing notebeook connecting to
ip access-group simple-ip-acl in
Does PACL only filter L2 traffic and do we have to apply ACL to L3 interface? Please advise.
Step 1: Define the extend ACL
ip access-list extended simple-ip-acl-block-internal-allow-internet
! allow required ip
permit ip host 10.6.10.244 host 10.115.85.102
permit ip host 10.6.10.244 host 10.115.85.1
permit ip host 10.6.10.244 host 10.116.85.1
permit ip host 10.6.10.244 host 10.115.11.1
permit ip host 10.6.10.244 host 10.115.11.2
permit ip host 10.115.85.102 host 10.6.10.244
!
! block private ranges
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
!
Permit ip any any
Step 2: Create New VLAN501
SiteB-30-2960X-7>sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- --
1 default active
500 VLAN0500 active Gi1/0/2, Gi1/0/10, Gi1/0/11
Gi1/0/12, Gi1/0/13, Gi1/0/14
Gi1/0/15, Gi1/0/16, Gi1/0/17
Gi1/0/18, Gi1/0/19, Gi1/0/20
Gi1/0/22, Gi1/0/23, Gi1/0/24
501 VLAN0501 active
Step 3: Create VLAN501 VRF & Apply the ACL to VLAN501.
Should I created VLAN501 VRF interface on 6504? I should apply the ACL to VLAN501 as below, right?
interface Vlan501
; VLAN for credit card terminal
ip address 10.6.10.0 255.255.255.0
ip access-group simple-ip-acl-block-internal-allow-internet out
Step 4: Change SiteB-30-2960X-7 Gi1/0/15 to VLAN501 and assign IP 10.6.10.24 to the testing notebook .
11-04-2018 10:37 AM
I think this thread will help your understanding:
https://learningnetwork.cisco.com/thread/54754
regards
azam
11-04-2018 11:47 AM - edited 11-04-2018 11:48 AM
Hello
I would suggest apply the acl on the L3 svi of the host your trying to negate access to, This way if this host roams within that vlan wherever it connects to it will be negated based on the RACL applied to its vlan and not the PACL applied to its L2 interface
ip access-list extended simple-ip-acl
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
permit ip any any
int vlan x/x
ip access-group name simple-ip-acl IN
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: