Allow traffic that goes out back in but nothing else
wedge1988
Member Posts: 434 ■■■□□□□□□□
Hi All,
Confused with this. Tried to set it up using ACL's but to no avail. Reflexive ACL's dont work.
I need traffic that goes out of VLAN 10 to be allowed to return to VLAN 10, and at the same time deny access inbound to VLAN 10 from any other vlan.
I can't figure out what i'm supposed to do. If anybody can shed some light that would be good
THANKS ALL
Confused with this. Tried to set it up using ACL's but to no avail. Reflexive ACL's dont work.
I need traffic that goes out of VLAN 10 to be allowed to return to VLAN 10, and at the same time deny access inbound to VLAN 10 from any other vlan.
I can't figure out what i'm supposed to do. If anybody can shed some light that would be good
THANKS ALL
~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
Comments
-
Mrock4 Banned Posts: 2,359 ■■■■■■■■□□Can you post your reflexive ACL config? They can be really tricky get to get the syntax correct on.
Also, the zone-based firewall feature will allow you to inspect all outbound traffic (if you choose to do so) therefore allowing traffic INITIATED from the inside to return back in.....but will not allow traffic initiated from the outside to in. -
wedge1988 Member Posts: 434 ■■■□□□□□□□No Problem:ip access-list extended test_IN evaluate MIRROR
ip access-list extended test_OUT
permit ip any any reflect MIRRORinterface Vlan10
ip access-group test_IN in
ip access-group test_OUT out~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese -
Mrock4 Banned Posts: 2,359 ■■■■■■■■□□I realize the output is small - but I had issues attaching the image in it's full size. But it worked fine for me with the exact same config. If on windows just zoom in a bit (Ctrl +) and it should be readable.
Or just reference it from here for the full size image: http://www.sgtccie.com/images/reflexive_ACL.png -
wedge1988 Member Posts: 434 ■■■□□□□□□□That's exactly what i've done? Seems very strange. Did you apply the access lists to the vlan or to the interface? is this where i'm getting confused?~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese -
Mrock4 Banned Posts: 2,359 ■■■■■■■■□□I applied it directly to the interface. To be honest, now that I think of it, I've never tried to apply a reflexive ACL to an SVI. I only used the interface since I was doing it in GNS3. But yea- it's literally the same config (pretty much copy and pasted)
Try flipping your logic around on the SVI ACLs, like this:
interface Vlan10
ip access-group test_IN out
ip access-group test_OUT in
I realize this won't look right, but it can't hurt to try. See if you have any different results. I always mix up the directions for SVI ACLs. -
wedge1988 Member Posts: 434 ■■■□□□□□□□That is so stupid?! It works now though!
Question is; why des an SVI interface require the rules to be switched around? having in on out and out on in does'nt make any logical sense haha~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese -
Mrock4 Banned Posts: 2,359 ■■■■■■■■□□Yep- it's gotten me a few times. The way I think about it is this:
SVI ACL directions:
"Out" keyword = traffic OUT to the devices on that VLAN
"In" keyword = traffic IN from the devices on that VLAN -
wedge1988 Member Posts: 434 ■■■□□□□□□□Yes it's very confusing. I get it now though. Just to clarify you mean:
"Out" keyword = traffic OUT to the devices FROM that VLAN
"In" keyword = traffic IN from the devices on that VLAN
Thanks so much for the help! I'm sure this will be invaluable for my CCNA:Voice, wireless and CCNP coming up in the next year or so~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese -
Mrock4 Banned Posts: 2,359 ■■■■■■■■□□Sort of- ACLs on SVIs will not filter traffic within a VLAN (ie: Host A on VLAN 20 to Host B on VLAN 20)..for that you'd need a VLAN access-map.
So what I meant to be more accurate is this:
"Out" keyword = traffic OUT to the devices on that VLAN FROM somewhere OTHER than that VLAN
"In" keyword = traffic IN from the devices on that VLAN TO a destination on another subnet/VLAN
Ie: Let's say you've been told to filter SSH to Host B on VLAN 20. The source traffic is on VLAN 40. You could do something like this:
access-list 100 deny tcp host 40.40.40.40 host 20.20.20.20 eq 22
access-list 100 permit ip any any
!
int Vlan20
ip access-group 100 out
!
The logic here would be "for traffic I am sending OUT to hosts on VLAN 20..I'll process the entries in ACL 100 and act accordingly." -
iamme4eva Member Posts: 272Useful thread, thanks.Current objective: CCNA Security
My blog: mybraindump.co.uk