- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: ACCESS-LIST definition problem
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-16-2009 05:30 AM
тАО04-16-2009 05:30 AM
ACCESS-LIST definition problem
i have a problem whith access list definition
on hp 5412ZL switch ,i want network 192.168.115.0/24 reach to network 192.168.2.0/24 and block network 192.168.2.0/24 to reach 192.168.115.0/24 ,
i attachad SHOW RUN .
please helpppp avi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2009 12:32 AM
тАО04-17-2009 12:32 AM
Re: ACCESS-LIST definition problem
i want network
192.168.115.0/24 to reach 192.168.2.0/24
and block network
192.168.2.0/24 to reach 192.168.115.0/24
<<<
??? do you want only one-way traffic???
or did you mean you only want sessions originating from 192.168.115.0/24 to reach 192.168.2.0/24 ?
In the last case you cannot do this with "normal" access-lists on a router, you will need a statefull firewall!
fortunately for tcp the 5400 series has something you can use
look in http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-K_13_01.pdf
[established] ├в This option applies only where TCP is the
configured IP protocol type. It blocks the synchronizing packet
associated with establishing a TCP connection in one direction
on a VLAN while allowing all other IP traffic for the same type
of connection in the opposite direction. For example, a Telnet
connect requires TCP traffic to move both ways between a host
and the target device. Simply applying a Deny to inbound
Telnet traffic on a VLAN would prevent Telnet sessions in either
direction because responses to outbound requests would be
blocked. However, by using the established option, inbound
Telnet traffic arriving in response to outbound Telnet requests
would be permitted, but inbound Telnet traffic trying to establish
a connection would be denied.
< permit | deny > tcp
< SA > < src-acl-mask > [< operator > < port-id >]
< DA > < desti-acl-mask > [< operator > < port-id >] [log]
[ established ]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2009 01:10 AM
тАО04-17-2009 01:10 AM
Re: ACCESS-LIST definition problem
first thing thank you for the quick reply .
i know i can only use the established option but this option not working for me from some reason ,if you see my show run i put all my acl in the out direction this is ok? , i very appreciate if you can write me a sample
how to write the established acl .
i attached new sh run the new is the one i use ,because this config will not block my traffic to the internet .
Best Regards Avi .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2009 01:43 AM
тАО04-17-2009 01:43 AM
Re: ACCESS-LIST definition problem
to put you in a direction
the process is
- data is received on an interface
- checked for inbound acl
- routed to another network (if route exists)
- on that outgoing interface it is checked for an outbound acl
So it is more efficient to use inbound acl's because data is filterd before it is routed.
but i think you only need ad a single statement to the "admin" acl in the right place
ip access-list extended "admin"
10 deny ip 192.168.3.0 0.0.0.255 0.0.0.0 255.255.255.255
20 deny ip 192.168.103.0 0.0.0.255 0.0.0.0 255.255.255.255
30 deny ip 192.168.104.0 0.0.0.255 0.0.0.0 255.255.255.255
40 deny ip 192.168.105.0 0.0.0.255 0.0.0.0 255.255.255.255
50 deny ip 192.168.106.0 0.0.0.255 0.0.0.0 255.255.255.255
60 deny ip 192.168.107.0 0.0.0.255 0.0.0.0 255.255.255.255
70 deny ip 192.168.108.0 0.0.0.255 0.0.0.0 255.255.255.255
80 deny ip 192.168.109.0 0.0.0.255 0.0.0.0 255.255.255.255
90 deny ip 192.168.110.0 0.0.0.255 0.0.0.0 255.255.255.255
100 deny ip 192.168.111.0 0.0.0.255 0.0.0.0 255.255.255.255
110 deny ip 192.168.112.0 0.0.0.255 0.0.0.0 255.255.255.255
120 deny ip 192.168.113.0 0.0.0.255 0.0.0.0 255.255.255.255
130 deny ip 192.168.114.0 0.0.0.255 0.0.0.0 255.255.255.255
140 permit tcp 192.168.115.0 0.0.0.255 0.0.0.0 255.255.255.255 established
150 deny ip 192.168.115.0 0.0.0.255 0.0.0.0 255.255.255.255
160 deny ip 192.168.117.0 0.0.0.255 0.0.0.0 255.255.255.255
170 deny ip 192.168.118.0 0.0.0.255 0.0.0.0 255.255.255.255
180 deny ip 192.168.119.0 0.0.0.255 0.0.0.0 255.255.255.255
190 deny ip 192.168.120.0 0.0.0.255 0.0.0.0 255.255.255.255
200 deny ip 192.168.121.0 0.0.0.255 0.0.0.0 255.255.255.255
210 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2009 02:25 AM
тАО04-17-2009 02:25 AM
Re: ACCESS-LIST definition problem
thank you (again)for your support
i will add this--
permit tcp 192.168.115.0 0.0.0.255 0.0.0.0 255.255.255.255 established , i hope that will solve the problem .
(i can to this only on sunday)
Best Regards Avi .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2009 03:49 AM
тАО04-17-2009 03:49 AM
Re: ACCESS-LIST definition problem
then pay extra attention to the order
permit tcp 192.168.115.0 0.0.0.255 0.0.0.0 255.255.255.255 established
must come before
deny ip 192.168.115.0 0.0.0.255 0.0.0.0 255.255.255.255
good luck
Pieter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2009 05:09 AM
тАО04-19-2009 05:09 AM
Re: ACCESS-LIST definition problem
many thanks for your support .
it's works!! if a put this in the source side --
10 permit tcp 0.0.0.0 255.255.255.255
(i want 115 reach all network)
192.168.115.0 0.0.0.255 established
20 permit ip 192.168.115.0 0.0.0.255 192.168.115.0 0.0.0.255
(reach his on network)
30 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
you help me a lot thank's
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2009 10:55 PM
тАО04-19-2009 10:55 PM
Re: ACCESS-LIST definition problem
But i don't think this is what you wanted.
An access list is evaluated from top to bottom untill the first match.
NO more rules after a matching line is checked!
so if you start with "10 permit tcp 0.0.0.0 255.255.255.255" then ALL access is permitted.
the other rules have no function at all!
Pieter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2009 11:05 PM
тАО04-19-2009 11:05 PM
Re: ACCESS-LIST definition problem
i want network 115 reach all network .
in this config 115 reach all network and the other network dont reach 115 ,i put this rule in the out direction on vlan 115 i test this and it work fine .
Best Regards Avi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2009 11:10 PM
тАО04-19-2009 11:10 PM
Re: ACCESS-LIST definition problem
On second look this rule set will be fine.
For some reason (mondaymorning? :( ) I overlooked the "established" keyword in your post.
Regards
Pieter