CLASSIC IOS TRANSPARENT Firewall

VLAN23 users are only allowed to initiating FTP, HTTP and DNS connections to the serves on VLAN 100 and not allowed to access VLAN13.

 

Sol guide has following as a solution for this task.

 

ip access-list extended OUTSIDE_IN
permit ip any 10.0.0.0 0.0.0.255
deny ip any any log

interface FastEthernet 0/1.23
bridge-group 1
ip access-group OUTSIDE_IN in
ip inspect DMZ_PROTOCOLS in
bridge-group 1 input-type-list 201 (for ipv6 only)

 

All the interfaces are in same layer 3 network 10.0.0.0/24. This will not block the access from VLAN 23 to VLAN 13.Any one else agree to this? If yes then how can we acheive the requirments?

 

Thanks,

Ajay

Comments

  • precisely.

    an inbound acl on Out interface fa0/1.23, effectively allows all traffic from vlan 23 to vlan 13.

    This included return traffic for protocols not allowed from R1 to R2 as well as any traffic from R2 to R1 ...

     

    Basically, the solution doesn't work ...

     

    Any ideas ?

     

     

  • You are right.    The 10 network is on all 3 interfaces, so we are not restricting access from VLAN 23 to VLAN 13.  

    To meet the task, we could add a deny IP any any ACL outbound on R3 fa 0/0.   That would prevent VLAN 23 from initiating traffic to VLAN 13.

    Good eyes!  I will add that to our list of updates needed for the vol 1 v5 beta content.

    Thanks, Keith.

Sign In or Register to comment.