Cisco ACL - Restrict a subnet to access only one host on another subnet
I have two VLANs setup using a Catalyst switch and using a 2621 using subinterfaces to route the VLANs. We also have a PIX506
The basic routing works.
Both subnets use the PIX506 for their default gateway (10.1.199.1).
Subnet 1 = (10.1.199.x/24)
Subnet 2 = (10.1.250.x/24)
I would like to restrict "subnet 2"s hosts from seeing "subnet 1"s hosts, but because subnet 2 needs to access the PIX for INternet, I would like to see if subnet 2's gateway (10.1.250.1) can forward to 10.1.199.1 (PIX GW) without giving access to the rest of 10.1.199.0/24.
I am assuming (Newbie thought) that the PIX does not support encapsulation like the Router for subinterfaces...
THanks in advance...
The basic routing works.
Both subnets use the PIX506 for their default gateway (10.1.199.1).
Subnet 1 = (10.1.199.x/24)
Subnet 2 = (10.1.250.x/24)
I would like to restrict "subnet 2"s hosts from seeing "subnet 1"s hosts, but because subnet 2 needs to access the PIX for INternet, I would like to see if subnet 2's gateway (10.1.250.1) can forward to 10.1.199.1 (PIX GW) without giving access to the rest of 10.1.199.0/24.
I am assuming (Newbie thought) that the PIX does not support encapsulation like the Router for subinterfaces...
THanks in advance...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That won't work. ACLs are processed in line order. You need to add the specific host permit after the subnet is blocked. Otherwise, it's wiped out by the subnet deny statement.
AutoSponge
as you just said ACLs are processed in line order. correct me if Im wrong but if you block the subnet before you allow the particular host the host will never get access. As soon as one of the statements is matched the rest of the list does not matter. I dont know how ACLs work on the PIX.
if it is wrong. help out and make the corrections.
tymkoder
as you just said ACLs are processed in line order. correct me if Im wrong but if you block the subnet before you allow the particular host the host will never get access. As soon as one of the statements is matched the rest of the list does not matter. I dont know how ACLs work on the PIX.
if it is wrong. help out and make the corrections.
tymkoder
If you permit a host then deny the network you just denied the host because he's part of the network. You have to permit the host after you deny the network.
tymaker's access list is correct. Doesn't need any clean up :)
When the packet for the gateway arrives, first rule in the access list is matched and traffic is allowed.
When the packet for rest of the network arrives, the first rule is not matches so the process moves to next rule which is then matched and traffic is blocked.
First ACL entry is allowing host only.
Second ACL entry is deny rest of the subnet.
When the packet for the gateway arrives, first rule in the access list is matched and traffic is allowed.
When the packet for rest of the network arrives, the first rule is not matches so the process moves to next rule which is then matched and traffic is blocked.
First ACL entry is allowing host only.
Second ACL entry is deny rest of the subnet.
Yes tymkoder acl is correct once a match is made it stops processing it and forwards or drops the packet.
-= Felix =-
-= Felix =-