Cisco ACL - Restrict a subnet to access only one host on another subnet

I have two VLANs setup using a Catalyst switch and using a 2621 using subinterfaces to route the VLANs.  We also have a PIX506

The basic routing works.

Both subnets use the PIX506 for their default gateway (10.1.199.1).

Subnet 1 = (10.1.199.x/24)
Subnet 2 = (10.1.250.x/24)

I would like to restrict "subnet 2"s hosts from seeing "subnet 1"s hosts, but because subnet 2 needs to access the PIX for INternet, I would like to see if subnet 2's gateway (10.1.250.1) can forward to 10.1.199.1 (PIX GW) without giving access to the rest of 10.1.199.0/24.

I am assuming (Newbie thought) that the PIX does not support encapsulation like the Router for subinterfaces...

THanks in advance...


mutsoAsked:
Who is Participating?
 
tymkoderConnect With a Mentor Commented:
set up an ACL so that subnet 2 cannot get to subnet 1

a little rusty but something like this (this may not work on the PIX)

create this access list
access-list 110 permit ip 10.1.250.0 0.0.0.255 10.1.99.1 0.0.0.0
access-list 110 deny ip 10.1.250.0 0.0.0255 10.1.99.0 0.0.0.255
access-list 110 permit any any

then apply it to the subnet 2 interface on your router ( i believe you are using your pix as a router)

I know that my code is a little rough but here is what it is going to do.
1st allow any address from the sub2 to get to the default gateway.
2nd it will stop sub2 from routing to sub1
finally it will allow sub2 to go anywhere else.

If someone else could please help and clean this up a bit thanks.

tymkoder
0
 
AutoSpongeCommented:
That won't work.  ACLs are processed in line order.  You need to add the specific host permit after the subnet is blocked.  Otherwise, it's wiped out by the subnet deny statement.
0
 
tymkoderCommented:
AutoSponge
as you just said ACLs are processed in line order. correct me if Im wrong but if you block the subnet before you allow the particular host the host will never get access. As soon as one of the statements is matched the rest of the list does not matter. I dont know how ACLs work on the PIX.
if it is wrong. help out and make the corrections.

tymkoder
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
AutoSpongeCommented:
If you permit a host then deny the network you just denied the host because he's part of the network.  You have to permit the host after you deny the network.
0
 
MusfaCommented:
tymaker's access list is correct. Doesn't need any clean up :)

When the packet for the gateway arrives, first rule in the access list is matched and traffic is allowed.
When the packet for rest of the network arrives, the first rule is not matches so the process moves to next rule which is then matched and traffic is blocked.

First ACL entry is allowing host only.
Second ACL entry is deny rest of the subnet.
0
 
MusfaCommented:
0
 
Felix2000Commented:
Yes tymkoder acl is correct once a match is made it stops processing it and forwards or drops the packet.

-= Felix =-
0
All Courses

From novice to tech pro — start learning today.