One Way Routing Between VLANs

InquiringTech · ‎03-23-2023

I want to set up a VLAN 20 (172.16.20.0 /24) to have internet (which it does) but not be able to reach any of the other VLANs on the switch. However, I want the other VLANs on the switch to be able to reach it (say VLAN 26 at 10.1.26.0 /24 and VLAN 29 at 10.1.29.0, etc.).

I set up an ACL on int vlan 20 called 'one-way-inter-vlan' going in:

10 deny ip 172.16.20.0 0.0.0.255 10.0.0.0 0.255.255.255

20 permit ip 10.0.0.0 0.255.255.255 172.16.20.0 0.0.0.255

30 permit ip any any

The effect is half of what I want: the vlan 20 subnet at 172.16.20.x can't reach the rest... but the problem is that the rest don't seem to be able to reach it either. It should be denying the one and permitting the other. What am I missing here? I'm testing from 10.1.29.2 to ping host 172.16.20.2

Also, I'm pretty sure 'ip' in the context of these ACLs covers both icmp and rdp, which I've been using to test connectivity across it.

Thanks.

Joseph W. Doherty · ‎03-23-2023

Likely your problem is, most host to host communication is bidirectional, i.e. you cannot totally block one direction and expect two way communication to work.

What you can do, though, is allow two way communication if just one side initiates the two way. I.e. If your VLANs 26 or 29 send to VLAN 20, VLAN 20 can reply, but VLAN 20 cannot initially send anything to those VLANs. (BTW, what I just described, is often the basis of how many firewalls work, i.e. "outside" cannot contact "inside", unless "inside" first contacted (particular) "outside".

For TCP, using an ACL ACE with the established bit on, indicates a "reply".

Cisco also supports "reflexive" ACLs.

Lastly, some IOSs support firewall features.

InquiringTech · ‎03-24-2023

Thanks, that's basically what I thought it was, just wanted to see if it was as easy as that.

I'll look into these other methods, but fundamentally what we want is a lab network that has internet access and can be reached from the rest of our network here, but not reach out to it or initiate a connection, since there are some specialized machines on there that have lower security by necessity, and we don't want things getting onto our main network that has our more sensitive info.

One initial idea was to just use our VPN to connect to there from the main network, but that only works if we are not on that main network. Because both of these are routed to the internet through a Cisco ASA firewall, and the gateway of the SSL AnyConnect VPN is through that same firewall, so it won't let you on if you're already behind it. Is there a way to maybe work around this?

Another idea was to use port forwarding via that firewall for the machines on that sequestered lab network, but that would be a hassle to assign a port to each machine on there and have people remember them and maintain a list, but in theory that could work I guess. Another option is to have a few computers on both networks using different adapters, and use them as a sort of "jump box" for entry into that network, but then people would be competing over using those concurrently, and be double RDPing in, which is just messy and time-consuming.

Any other ideas to consider maybe?

Joseph W. Doherty · ‎03-24-2023

"Any other ideas to consider maybe?"

Possibly treating this lab network like a DMZ.(?)

MHM Cisco World · ‎03-25-2023

the ASA is statfull and this give you a choose to permit traffic from one IN to DMZ and deny from DMZ IN if the traffic initiate from DMZ
this easy to config
what you need only
config VLANx-y to IN interface with high security level
config VLANz to DMZ interface with low security level
and then inspect the traffic you need to permit.

InquiringTech · ‎03-27-2023

Thanks. For this configuration, does VLAN Z/20 need to be connected to a separate physical interface on the firewall than the other VLANs? Because now they all go through the same one.

MHM Cisco World · ‎03-27-2023

VLAN X can access VLAN Y BUT VLAN Y can not access to VLAN X
how config will be ?
the ASA is depend on security level
from high to low the traffic pass
from low to high the traffic drop unless you config ACL permit the traffic

the security level config in interface mode
so you need to config VLAN x with interface with high security level
the config VLAN y with interface with low seuicrty level

InquiringTech · ‎03-27-2023

Hm, I set that VLAN Y network as a lower security level than the others, and it has its own inside interface separate from the rest of the main network and VLANs.

For access control list rules for that interface on the firewall, I allowed traffic from any source to to go that VLAN Y, then denied VLAN Y to go to any of the other VLAN's networks, and finally allowed VLAN Y to go to 0.0.0.0 outside so it can get internet. But that still blocked traffic between those VLANs both ways, meaning VLAN X couldn't access Y. But when I use the built-in packet tracer tool in the ASA, it indicates the packet would be allowed, which is not the case.

Without the ACLs, it lets both sides ping each other at least (although not RDP). But we don't want both sides to do that. The security level doesn't seem to be doing much to prevent VLAN Y from getting to the rest. Is there something I'm missing? And what did you mean specifically by "inspect the traffic"; something other than ACLs? Sorry, I'm new to the firewall side of things.