?
Solved

CISCO 1801 access lit between vlans

Posted on 2010-01-09
5
Medium Priority
?
478 Views
Last Modified: 2012-05-08
I'm trying to add an access list between vlans.

i want to deny source 172.16.1.0 255.255.255.0 destination 172.16.2.0 255.255.255.0

but
 i want to permit 172.16.2.0 255.255.255.0 to access the 172.16.1.0 255.255.255.0

i tryed but it doesn't work .  can you please help with the configuration and possitioning the access list in or out

please view my router configuration

1801-router.txt
0
Comment
Question by:greekstones
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26273691
You cannot deny traffic on one side and permit it on the other, you will end up denying return traffic. You need two way communication. You can try this:

ip access-list VLAN200_IN
 permit tcp any any established
 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
 permit ip any any
!
interface Vlan200
 ip address 172.16.1.1 255.255.255.0
 ip access-group VLAN200_IN in

It will allow return TCP traffic, but you will still drop UDP flows.
0
 
LVL 6

Author Comment

by:greekstones
ID: 26273892
hi there

thanks for your reply

yes that works for all traffic but the icmp is not working.  I can not ping between 172.16.2.4 to 172.16.1.100

also what is the permit tcp any any established does ? becuase i never seen this before.

regards.
 
0
 
LVL 9

Accepted Solution

by:
Vito_Corleone earned 2000 total points
ID: 26273960
The permit TCP any any established command allows the return traffic. It allows initiated traffic to return. So if 172.16.2.x traffic initiates a TCP flow to 172.16.1.x the traffic will be allowed to return.

Your pings aren't working because we are blocking all communication. You could do this:

ip access-list VLAN200_IN
 permit tcp any any established
 permit icmp any any echo-reply
 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
 permit ip any any

That new line in the ACL should allow ping replies from the 172.16.1.x hosts.
0
 
LVL 9

Assisted Solution

by:Vito_Corleone
Vito_Corleone earned 2000 total points
ID: 26273963
You could also allow all ICMP if you don't mind letting ping through completely.
0
 
LVL 6

Author Comment

by:greekstones
ID: 26273996
great yes it worked

here is another 500 points.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question