established acl in cisco 3560

I use cisco3560
I want to vlan A access vlan B with tcp protocol, and vlan B could not access  vlan A. vlan A and vlan B could access internet.
vlan A: 10.10.10.1/24  , vlan B: 10.10.20.1/24

ip access-list extend test
permit tcp any 10.10.20.0 0.0.0.255 established
permit ip any any

interface  vlan A
ip access-group test out

interface vlan B
ip access-group test in

but it seemed not worked, both can access internet , and access each other,
 it's my configuration problem ?
kai zhangAsked:
Who is Participating?
 
atlas_shudderedSr. Network EngineerCommented:
More to the point, your permit any any is going to allow anything not previously denied.  If I am understanding your goal correctly try this:

ip access ext A_to_B
permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip any any

ip access ext B_to_A
permit tcp 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip any any

interface  vlan A
ip access-group A_to_B out

interface vlan B
ip access-group B_to_A out
permit ip any any

Open in new window

0
 
Ayoub RouziCeo & CoFounderCommented:
Hi,

You should add a :

deny ip 10.10.10.1 0.0.0.255 10.10.20.1 0.0.0.255

Open in new window

0
 
Ayoub RouziCeo & CoFounderCommented:
The solution is pretty clear and mr Atlas_shuddered confirm the same point.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.