Allow traffic that goes out back in but nothing else

wedge1988

Hi All,

Confused with this. Tried to set it up using ACL's but to no avail. Reflexive ACL's dont work.

I need traffic that goes out of VLAN 10 to be allowed to return to VLAN 10, and at the same time deny access inbound to VLAN 10 from any other vlan.

I can't figure out what i'm supposed to do. If anybody can shed some light that would be good

THANKS ALL

Find more posts tagged with

Comments

Mrock4

Can you post your reflexive ACL config? They can be really tricky get to get the syntax correct on.

Also, the zone-based firewall feature will allow you to inspect all outbound traffic (if you choose to do so) therefore allowing traffic INITIATED from the inside to return back in.....but will not allow traffic initiated from the outside to in.

wedge1988

No Problem:

ip access-list extended test_IN evaluate MIRROR
ip access-list extended test_OUT
permit ip any any reflect MIRROR

interface Vlan10
ip access-group test_IN in
ip access-group test_OUT out

Mrock4

I realize the output is small - but I had issues attaching the image in it's full size. But it worked fine for me with the exact same config. If on windows just zoom in a bit (Ctrl +) and it should be readable.

Or just reference it from here for the full size image: http://www.sgtccie.com/images/reflexive_ACL.png

wedge1988

That's exactly what i've done? Seems very strange. Did you apply the access lists to the vlan or to the interface? is this where i'm getting confused?

Mrock4

I applied it directly to the interface. To be honest, now that I think of it, I've never tried to apply a reflexive ACL to an SVI. I only used the interface since I was doing it in GNS3. But yea- it's literally the same config (pretty much copy and pasted)

Try flipping your logic around on the SVI ACLs, like this:

interface Vlan10
ip access-group test_IN out
ip access-group test_OUT in

I realize this won't look right, but it can't hurt to try. See if you have any different results. I always mix up the directions for SVI ACLs.

wedge1988

That is so stupid?! It works now though!

Question is; why des an SVI interface require the rules to be switched around? having in on out and out on in does'nt make any logical sense haha

Mrock4

Yep- it's gotten me a few times. The way I think about it is this:

SVI ACL directions:

"Out" keyword = traffic OUT to the devices on that VLAN
"In" keyword = traffic IN from the devices on that VLAN

wedge1988

Yes it's very confusing. I get it now though. Just to clarify you mean:

"Out" keyword = traffic OUT to the devices FROM that VLAN
"In" keyword = traffic IN from the devices on that VLAN

Thanks so much for the help! I'm sure this will be invaluable for my CCNA:Voice, wireless and CCNP coming up in the next year or so

Mrock4

Sort of- ACLs on SVIs will not filter traffic within a VLAN (ie: Host A on VLAN 20 to Host B on VLAN 20)..for that you'd need a VLAN access-map.

So what I meant to be more accurate is this:

"Out" keyword = traffic OUT to the devices on that VLAN FROM somewhere OTHER than that VLAN
"In" keyword = traffic IN from the devices on that VLAN TO a destination on another subnet/VLAN

Ie: Let's say you've been told to filter SSH to Host B on VLAN 20. The source traffic is on VLAN 40. You could do something like this:

access-list 100 deny tcp host 40.40.40.40 host 20.20.20.20 eq 22
access-list 100 permit ip any any
!
int Vlan20
ip access-group 100 out
!

The logic here would be "for traffic I am sending OUT to hosts on VLAN 20..I'll process the entries in ACL 100 and act accordingly."

iamme4eva

Useful thread, thanks.