ACL question using Boson Netsim 6

stois21stois21 Posts: 4Registered Users ■□□□□□□□□□
Hello, i am new at Boson Netsim 6... I want to create an extended acl that allows a single host from one network to have ip communication only with a specific host from another network. The topoligy of the netwrok is something like this:
F0/0 F0/0
PC1
RouterA
RouterB
Server1
172.16.2.1 172.16.3.2

on the configuration mode of Router A i created this acl:
access-list 101 permit ip host 172.16.2.1 host 172.3.2 and i applied it to the F0/0 interface as inbound and it wroks fine, the only host from the 172.16.2.0/24 netwrok that can communicate with the server1 is PC1.

But i dont want to be any other kind of communication between the 2 networks. I only want PC1 to communicate with server1 but also, server1 to not be able to initiate communication, only to respond(i dont know if it is possible). Is there any way to create an acl on routerB that will only pass traffic between pc1 and server1 after there has been communication established between them?
I tried creating the acl:
access-list 110 permit ip host 172.16.3.2 any established
after seeing something simillar in a cisco tutorial but it doesnt work.
Pls help...

Comments

  • MierdinMierdin Posts: 79Member ■■□□□□□□□□
    stois21 wrote: »
    But i dont want to be any other kind of communication between the 2 networks. I only want PC1 to communicate with server1 but also, server1 to not be able to initiate communication, only to respond(i dont know if it is possible). Is there any way to create an acl on routerB that will only pass traffic between pc1 and server1 after there has been communication established between them?
    I tried creating the acl:
    access-list 110 permit ip host 172.16.3.2 any established
    after seeing something simillar in a cisco tutorial but it doesnt work.
    Pls help...

    What doesn't work about it? That syntax is correct, although I couldn't quite make out your diagram. (Meaning that IP address may be incorrect - might want to post your running configs for the routers)

    The important thing to consider is that you've applied it on the correct interface. If you applied it on the interface PC1 is connecting to, it won't allow reflexive communication with the server. You'll have to apply it on the RouterA interface that's connected to RouterB.

    Make sense?
    "We gain complexity by linking together. To be isolated within a single platform is to be reduced. We see less. Understand less. It is quieter.” -Legion

    Current Focus: CCIE R/S
    Blog -- Keeping It Classless
  • stois21stois21 Posts: 4Registered Users ■□□□□□□□□□
    Thnx mierdin for the quick reply, yes now i see that my diagram is mixed up(i had spaces between the ips and the interaces but they are gone). The ips are:
    pc1:172.16.2.1 and for the server:172.16.3.2 and both are connected on the fast ethernet interface F0/0 on the routerA and routerB accordingly.
    I have applied the 101 acces list on the F0/0 interface of routerA and it works just fine filtering all traffic from the 172.16.2.0/24 subnet allowing only pc1 to initiate communication outside the network and only to server1.
    Now the 110 acl that i wrote i am trying to apply it to the F0/0 interface of routerB that the server1 is connectend as inbound to filter all incoming traffic so that server1 cant initiate nor establish communication, only reply to PC1.
    If i understand correctly, you are saying that i shouldnt apply the 110 acl on the F0/0 of routerB but on the serial interface of routerA that connects routerA with routerB?
  • stois21stois21 Posts: 4Registered Users ■□□□□□□□□□
    thnx for the reply, i tried what you said but when i get an error, i think that the the established keyword doesnt work with ip after all, it only works with tcp. But still i cant figure out how to allow traffic from server1 only when it needs to reply to pc1.
  • MonkerzMonkerz Posts: 842Member
    I can't think today, this should work for you.

    access-list 110 permit tcp any any established

    Apply to RouterA inbound on serial interface.

    Edit: This is provided you are using ACL 101 still to block all other traffic.
  • stois21stois21 Posts: 4Registered Users ■□□□□□□□□□
    thnx again, yes i think in theory this will work, but i cant create the acl, i get the error message:
    %Invalid input detected at '^' marker.
    and the marker is at the established keyword. its not syntax error i checked. Also i have the same problem when i try to block ftp traffic using the eq ftp keywords. I dont know if the problem is the boson netsim version i have, its version v6.00.
  • MonkerzMonkerz Posts: 842Member
    If you can figure it out, you can use the reflect keyword to set it up, but I haven't dove that deep into reflexive ACLs.
  • MierdinMierdin Posts: 79Member ■■□□□□□□□□
    Monkerz wrote: »
    I can't think today, this should work for you.

    access-list 110 permit tcp any any established

    Apply to RouterA inbound on serial interface.

    Edit: This is provided you are using ACL 101 still to block all other traffic.

    ACL 110 will block all other traffic by default because of the invisible implicit deny all at the bottom.

    Also - this is only useful when the 'established' keyword is specified as you've shown, since the idea of a reflexive ACL is based on established sessions. I didn't catch that the first time because I was on my droid and things were happening. icon_wink.gif
    "We gain complexity by linking together. To be isolated within a single platform is to be reduced. We see less. Understand less. It is quieter.” -Legion

    Current Focus: CCIE R/S
    Blog -- Keeping It Classless
  • MonkerzMonkerz Posts: 842Member
    Mierdin wrote: »
    ACL 110 will block all other traffic by default because of the invisible implicit deny all at the bottom.

    I meant to block all other traffic that isn't to or from the server or PC.
  • MierdinMierdin Posts: 79Member ■■□□□□□□□□
    Monkerz wrote: »
    I meant to block all other traffic that isn't to or from the server or PC.

    I know, and I knew you knew, just clarifying for our friend. No worries. icon_wink.gif
    stois21 wrote: »
    thnx again, yes i think in theory this will work, but i cant create the acl, i get the error message:
    %Invalid input detected at '^' marker.
    and the marker is at the established keyword. its not syntax error i checked. Also i have the same problem when i try to block ftp traffic using the eq ftp keywords. I dont know if the problem is the boson netsim version i have, its version v6.00.

    The syntax Monkerz provided was correct, it works for me, and I'm running IOS 12.4. I also tried it with eq ftp, and that worked as well. Just curious, are you in global config mode when you enter these? That's the only thing I can think of that would make sense why they're not being accepted. Otherwise I'm not sure.
    "We gain complexity by linking together. To be isolated within a single platform is to be reduced. We see less. Understand less. It is quieter.” -Legion

    Current Focus: CCIE R/S
    Blog -- Keeping It Classless
Sign In or Register to comment.