Re: Help in configuring ACL

s4sandyad · ‎09-15-2017

As per attached jpg...please help how can i achieve this by using ACL or what are the way to acheive this scenario.

Karsten Iwen · ‎09-15-2017

You can't solve that problem effectively with an ACL. You need a statefull firewall like the ASA of ZBF on the IOS routers for that.

The ACL can be a first step, but you also have to allow the return-traffic which is really hard with only an ACL.

RyanB · ‎09-15-2017

As @Karsten Iwen said, you would need to allow return traffic, which requires statefulness.

You can do this with a simple extended ACL on the router, but it's highly dependant on what you're truely trying to accomplish.

For example...allowing established TCP sessions and echo-replies.

Configuration:

hostname DC-R1
!
interface FastEthernet0/0
 ip address 172.30.2.1 255.255.255.0
 negotiation auto

hostname DC-R2
!
interface FastEthernet0/1
 ip address 172.18.3.1 255.255.255.0
 ip access-group 1wayACL in
 negotiation auto
!
ip access-list extended 1wayACL
 permit tcp host 172.18.3.10 host 172.30.2.10 established
 permit icmp host 172.18.3.10 host 172.30.2.10 echo-reply
 deny ip any any

Results from 172.30.2.10 (Server1):

Server1#telnet 172.18.3.10
Trying 172.18.3.10 ... Open

User Access Verification

Username: Server2
Password:
Server2>

Server1#ssh -l server2 172.18.3.10
Password:

Server2>

Server1#ping 172.18.3.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.3.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/52/60 ms

Results from 172.18.3.10 (Server2):

Server2#telnet 172.30.3.10
Trying 172.30.3.10 ...
% Destination unreachable; gateway or host down

Server2#ssh -l server1 172.30.3.10
% Destination unreachable; gateway or host down

Server2#ping 172.30.3.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.3.10, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)