Hello,
I have problem with the security VLAN, my network is composed with :
(access switch : 2960)
(Core switch : 4507R)
(Firewall (Internet Security) : ASA 5510)
(Router (Internet connexion) : 2811)
I have a similar network:
1st STEP WITHOUT ACL
- The communication between PC 22 and PC 32 is well, in the two directions
- The Internet access is done too, sometimes via cisco2811ccme and if this connection is not available it balances to cisco2811.
I want to secure between vlans, for example I need:
- to take communication from VLAN 20 to VLAN 30
- but not from VLAN 30 to VLAN 20,
- VLAN 20 and VLAN 30 can access to internet
2nd STEP WITH ACL (several attempts)
I attempt several ways to implement ACL on Cisco Switch 4507R
1st attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 does not accede to Internet ********************** I don't need that
Vlan 30 accedes to all vlan including vlan 20
Vlan 30 accedes to Internet
Ip access-list extended 120
Permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip any 10.0.40.0 0.0.0.255
Int vlan 20
Ip access-group 120 in
2nd attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 does not accede to Internet ********************* I don't need that
Vlan 30 accedes to all vlan including vlan 20
Vlan 30 accedes to Internet
Ip access-list extended 120
Permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Int vlan 20
Ip access-group 120 in
3rd attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 accedes to Internet
Vlan 30 accedes to all vlan excluding vlan 20
Vlan 30 does not accede to VLAN 20 ************************ I don't need that
Vlan 30 accedes to Internet
Ip access-list extended 120
Deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip 10.0.20.0 0.0.0.255 any
Int vlan 20
Ip access-group 120 in
4th attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 accedes to Internet
Vlan 30 accedes to all vlan excluding vlan 20
Vlan 30 does not accede to VLAN 20 *********************** I don't need that
Vlan 30 accedes to Internet
Ip access-list extended 120
Deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
Permit ip 10.0.20.0 0.0.0.255 any
Int vlan 20
Ip access-group 120 in
WITHOUT DENY (1st and 2nd attempts) VLAN 20 does not accede to Internet, I want it to accede the Internet
EXPLICITE DENY (3rd and 4th attempts) stops traffic from the two directions and I need just one direction to be blocked.
Can someone help me to have :
- communication from VLAN 20 to VLAN 30
- but not from VLAN 30 to VLAN 20,
- and VLAN 20 and VLAN 30 can access to internet
Thank yo.
kassab2005 a écrit:
Hello,
I have problem with the security VLAN, my network is composed with :
(access switch : 2960)
(Core switch : 4507R)
(Firewall (Internet Security) : ASA 5510)
(Router (Internet connexion) : 2811)
I have a similar network:
1st STEP WITHOUT ACL
- The communication between PC 22 and PC 32 is well, in the two directions
- The Internet access is done too, sometimes via cisco2811ccme and if this connection is not available it balances to cisco2811.
I want to secure between vlans, for example I need:
- to take communication from VLAN 20 to VLAN 30
- but not from VLAN 30 to VLAN 20,
- VLAN 20 and VLAN 30 can access to internet
2nd STEP WITH ACL (several attempts)
I attempt several ways to implement ACL on Cisco Switch 4507R
1st attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 does not accede to Internet ********************** I don't need that
Vlan 30 accedes to all vlan including vlan 20
Vlan 30 accedes to Internet
Ip access-list extended 120
Permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip any 10.0.40.0 0.0.0.255
Int vlan 20
Ip access-group 120 in
Communication is a 2way process so if vlan30 accedes vlan20 that means vlan 20 can accede vlan30
2nd attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 does not accede to Internet ********************* I don't need that
Vlan 30 accedes to all vlan including vlan 20
Vlan 30 accedes to Internet
Ip access-list extended 120
Permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Int vlan 20
Ip access-group 120 in
The same as above
3rd attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 accedes to Internet
Vlan 30 accedes to all vlan excluding vlan 20
Vlan 30 does not accede to VLAN 20 ************************ I don't need that
Vlan 30 accedes to Internet
Ip access-list extended 120
Deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip 10.0.20.0 0.0.0.255 any
Int vlan 20
Ip access-group 120 in
This is normal according to your ACL
4th attempt
Vlan 20 does not accede to VLAN 30
Vlan 20 accedes to Internet
Vlan 30 accedes to all vlan excluding vlan 20
Vlan 30 does not accede to VLAN 20 *********************** I don't need that
Vlan 30 accedes to Internet
Ip access-list extended 120
Deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
Permit ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255
Permit ip 10.0.20.0 0.0.0.255 any
Int vlan 20
Ip access-group 120 in
Same as above
WITHOUT DENY (1st and 2nd attempts) VLAN 20 does not accede to Internet, I want it to accede the Internet
use an explicit permit for vlan20 to any as last entry
EXPLICITE DENY (3rd and 4th attempts) stops traffic from the two directions and I need just one direction to be blocked.
AFAIK this is not possible with regular ACLs you'd have to use CBAC or ZBF to achieve such a result
Can someone help me to have :
- communication from VLAN 20 to VLAN 30
- but not from VLAN 30 to VLAN 20,
- and VLAN 20 and VLAN 30 can access to internet
Thank yo.
Regards.
Alain.
