cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
367
Views
0
Helpful
4
Replies
anthonypoon
Beginner

Enquiry about PACL

Hi experts,

 

If I want to deny Site B terminal (10.116.123.244) access internal networks (173.0.0.0/8, 10.114.0.0/16, 10.115.0.0/16, 10.116.0.0/16, 10.150.0.0/16) accept Internet through Site A Internet Firewall, can the following PACL works?

 

Config t
ip access-list extended simple-ip-acl
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
end
 int gi2/31 ; the switchport where the terminal is connecting to
ip access-group simple-ip-acl in

 

Thanks.

4 REPLIES 4
Alex Pfeil
Rising star

You would have to add permit ip any any at the end.
Please rate helpful posts.

Hi, 

 

I apply the following PACL on the testing interface of edge switch of site B, however, it does not work.

 

ip access-list extended simple-ip-acl
permit ip host 10.116.123.244 host 10.115.85.102 ; Site A Checkpoint firewall
permit ip host 10.116.123.244 host 10.115.85.1; Site A GW (Core switch)
permit ip host 10.116.123.244 host 10.116.85.1; Site B GW (Core switch)
permit ip host 10.116.123.244 host 10.115.11.1; Site A AD & DNS
permit ip host 10.116.123.244 host 10.115.11.2; Site A AD & DNS
permit ip host 10.115.85.102 host 10.116.123.244; Returned traffic
deny ip any any
end
int gi1/0/15; the testing notebeook connecting to
ip access-group simple-ip-acl in

 

Does PACL only filter L2 traffic and do we have to apply ACL to L3 interface? Please advise.

 

Step 1: Define the extend ACL
ip access-list extended simple-ip-acl-block-internal-allow-internet
! allow required ip
permit ip host 10.6.10.244 host 10.115.85.102
permit ip host 10.6.10.244 host 10.115.85.1
permit ip host 10.6.10.244 host 10.116.85.1
permit ip host 10.6.10.244 host 10.115.11.1
permit ip host 10.6.10.244 host 10.115.11.2
permit ip host 10.115.85.102 host 10.6.10.244
!
! block private ranges
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
!
Permit ip any any

 

Step 2: Create New VLAN501
SiteB-30-2960X-7>sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- --
1 default active
500 VLAN0500 active Gi1/0/2, Gi1/0/10, Gi1/0/11
Gi1/0/12, Gi1/0/13, Gi1/0/14
Gi1/0/15, Gi1/0/16, Gi1/0/17
Gi1/0/18, Gi1/0/19, Gi1/0/20
Gi1/0/22, Gi1/0/23, Gi1/0/24
501 VLAN0501 active


Step 3: Create VLAN501 VRF & Apply the ACL to VLAN501.
Should I created VLAN501 VRF interface on 6504? I should apply the ACL to VLAN501 as below, right?
interface Vlan501
; VLAN for credit card terminal
ip address 10.6.10.0 255.255.255.0
ip access-group simple-ip-acl-block-internal-allow-internet out

 

Step 4: Change SiteB-30-2960X-7 Gi1/0/15 to VLAN501 and assign IP 10.6.10.24 to the testing notebook .

I think this thread will help your understanding:

https://learningnetwork.cisco.com/thread/54754

regards

azam

paul driver
VIP Mentor

Hello

 

I would suggest apply the acl on the L3 svi of the host your trying to negate access to, This way if this host roams within that vlan wherever it connects to it will be negated based on the RACL applied to its vlan and not the PACL applied to its L2 interface

 

ip access-list extended simple-ip-acl
deny ip host 10.116.123.244 10.114.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.115.0.0. 0.0.255.255
deny ip host 10.116.123.244 10.116.0.0. 0.0.255.255
deny ip host 10.116.123.244 173.0.0.0. 0.255.255.255
deny ip host 10.116.123.244 10.150.0.0. 0.0.255.255
permit ip any any

 

int vlan x/x
ip access-group name simple-ip-acl IN

 

 





kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future