?
Solved

CISCO 1801 access lit between vlans

Posted on 2010-01-09
5
Medium Priority
?
479 Views
Last Modified: 2012-05-08
I'm trying to add an access list between vlans.

i want to deny source 172.16.1.0 255.255.255.0 destination 172.16.2.0 255.255.255.0

but
 i want to permit 172.16.2.0 255.255.255.0 to access the 172.16.1.0 255.255.255.0

i tryed but it doesn't work .  can you please help with the configuration and possitioning the access list in or out

please view my router configuration

1801-router.txt
0
Comment
Question by:greekstones
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26273691
You cannot deny traffic on one side and permit it on the other, you will end up denying return traffic. You need two way communication. You can try this:

ip access-list VLAN200_IN
 permit tcp any any established
 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
 permit ip any any
!
interface Vlan200
 ip address 172.16.1.1 255.255.255.0
 ip access-group VLAN200_IN in

It will allow return TCP traffic, but you will still drop UDP flows.
0
 
LVL 6

Author Comment

by:greekstones
ID: 26273892
hi there

thanks for your reply

yes that works for all traffic but the icmp is not working.  I can not ping between 172.16.2.4 to 172.16.1.100

also what is the permit tcp any any established does ? becuase i never seen this before.

regards.
 
0
 
LVL 9

Accepted Solution

by:
Vito_Corleone earned 2000 total points
ID: 26273960
The permit TCP any any established command allows the return traffic. It allows initiated traffic to return. So if 172.16.2.x traffic initiates a TCP flow to 172.16.1.x the traffic will be allowed to return.

Your pings aren't working because we are blocking all communication. You could do this:

ip access-list VLAN200_IN
 permit tcp any any established
 permit icmp any any echo-reply
 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
 permit ip any any

That new line in the ACL should allow ping replies from the 172.16.1.x hosts.
0
 
LVL 9

Assisted Solution

by:Vito_Corleone
Vito_Corleone earned 2000 total points
ID: 26273963
You could also allow all ICMP if you don't mind letting ping through completely.
0
 
LVL 6

Author Comment

by:greekstones
ID: 26273996
great yes it worked

here is another 500 points.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question