Allow traffic that goes out back in but nothing else

wedge1988wedge1988 Posts: 434Member ■■■□□□□□□□
Hi All,

Confused with this. Tried to set it up using ACL's but to no avail. Reflexive ACL's dont work.

I need traffic that goes out of VLAN 10 to be allowed to return to VLAN 10, and at the same time deny access inbound to VLAN 10 from any other vlan.

I can't figure out what i'm supposed to do. If anybody can shed some light that would be good icon_biggrin.gif

THANKS ALL
~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese

Comments

  • Mrock4Mrock4 Posts: 2,360Banned
    Can you post your reflexive ACL config? They can be really tricky get to get the syntax correct on.

    Also, the zone-based firewall feature will allow you to inspect all outbound traffic (if you choose to do so) therefore allowing traffic INITIATED from the inside to return back in.....but will not allow traffic initiated from the outside to in.
  • wedge1988wedge1988 Posts: 434Member ■■■□□□□□□□
    No Problem:
    ip access-list extended test_IN evaluate MIRROR
    ip access-list extended test_OUT
    permit ip any any reflect MIRROR
    interface Vlan10
    ip access-group test_IN in
    ip access-group test_OUT out
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • Mrock4Mrock4 Posts: 2,360Banned
    I realize the output is small - but I had issues attaching the image in it's full size. But it worked fine for me with the exact same config. If on windows just zoom in a bit (Ctrl +) and it should be readable.

    Or just reference it from here for the full size image: http://www.sgtccie.com/images/reflexive_ACL.png
  • wedge1988wedge1988 Posts: 434Member ■■■□□□□□□□
    That's exactly what i've done? Seems very strange. Did you apply the access lists to the vlan or to the interface? is this where i'm getting confused?
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • Mrock4Mrock4 Posts: 2,360Banned
    I applied it directly to the interface. To be honest, now that I think of it, I've never tried to apply a reflexive ACL to an SVI. I only used the interface since I was doing it in GNS3. But yea- it's literally the same config (pretty much copy and pasted)

    Try flipping your logic around on the SVI ACLs, like this:

    interface Vlan10
    ip access-group test_IN out
    ip access-group test_OUT in

    I realize this won't look right, but it can't hurt to try. See if you have any different results. I always mix up the directions for SVI ACLs.
  • wedge1988wedge1988 Posts: 434Member ■■■□□□□□□□
    That is so stupid?! It works now though!

    Question is; why des an SVI interface require the rules to be switched around? having in on out and out on in does'nt make any logical sense haha
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • Mrock4Mrock4 Posts: 2,360Banned
    Yep- it's gotten me a few times. The way I think about it is this:

    SVI ACL directions:

    "Out" keyword = traffic OUT to the devices on that VLAN
    "In" keyword = traffic IN from the devices on that VLAN
  • wedge1988wedge1988 Posts: 434Member ■■■□□□□□□□
    Yes it's very confusing. I get it now though. Just to clarify you mean:

    "Out" keyword = traffic OUT to the devices FROM that VLAN
    "In" keyword = traffic IN from the devices on that VLAN

    Thanks so much for the help! I'm sure this will be invaluable for my CCNA:Voice, wireless and CCNP coming up in the next year or so icon_biggrin.gif
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • Mrock4Mrock4 Posts: 2,360Banned
    Sort of- ACLs on SVIs will not filter traffic within a VLAN (ie: Host A on VLAN 20 to Host B on VLAN 20)..for that you'd need a VLAN access-map.

    So what I meant to be more accurate is this:

    "Out" keyword = traffic OUT to the devices on that VLAN FROM somewhere OTHER than that VLAN
    "In" keyword = traffic IN from the devices on that VLAN TO a destination on another subnet/VLAN

    Ie: Let's say you've been told to filter SSH to Host B on VLAN 20. The source traffic is on VLAN 40. You could do something like this:

    access-list 100 deny tcp host 40.40.40.40 host 20.20.20.20 eq 22
    access-list 100 permit ip any any
    !
    int Vlan20
    ip access-group 100 out
    !

    The logic here would be "for traffic I am sending OUT to hosts on VLAN 20..I'll process the entries in ACL 100 and act accordingly."
  • iamme4evaiamme4eva Posts: 272Member
    Useful thread, thanks.
    Current objective: CCNA Security
    My blog: mybraindump.co.uk
Sign In or Register to comment.