03-04-2019 08:40 AM
Hi, I have created a simple network diagram by using Cisco Packet Tracer.
Here, I want to deny all the access from "Network 2" side to "Network 1". At the same time, I should be able to access the devices of "Network 2" from "Network 1".
I tried with ACLs and it was not worked due to denying the acknowledgment traffics.
Please help me to solve this matter.
I have attached an image and .pkt file.
http://www.mediafire.com/file/zpnd14thja65bkq/ACL.pkt/file
03-04-2019 09:32 AM
How to allow one network to initiate traffic to another network and to receive responses from the second network while not allowing the second network to initiate traffic to the first network is a challenge. The optimum solution is to have some device that does stateful inspection (such as a firewall). But you asked in terms of access list and there are some alternatives that you can try.
The most simple alternative works for TCP traffic and you can have a statement near the beginning of your acl on the interface for network 1 which has something like
access-list 101 permit tcp <source> <mask> <destination> <mask> established
this will allow tcp traffic from network 2 that is a response to something initiated from network 1 but will not allow any tcp initiated from network 2. But this only works for TCP so you probably need to consider other options.
Probably you want something like Context Based Access List which inspects traffic and dynamically alters the operation of the access list to accomplish the kind of thing that you want to do. Here is a link which discusses this and I hope you may find helpful.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#cbac
HTH
Rick
03-04-2019 11:59 PM - edited 03-05-2019 12:06 AM
Hi,
Make some changes in the access-list on Router6
Router#sho ip access-lists Extended IP access list 110 10 permit icmp any any (15 match(es)) 11 permit tcp host 192.168.2.3 eq ftp 192.168.1.0 0.0.0.255 (10 match(es)) 20 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (238 match(es)) 30 permit ip any any
and here is the working topology.
As @Richard Burts has mentioned that "established" will resolve your issue but you are working on the PT so it will not support this function.
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide