>>>
i want network
192.168.115.0/24 to reach 192.168.2.0/24
and block network
192.168.2.0/24 to reach 192.168.115.0/24
<<<
??? do you want only one-way traffic???
or did you mean you only want sessions originating from 192.168.115.0/24 to reach 192.168.2.0/24 ?
In the last case you cannot do this with "normal" access-lists on a router, you will need a statefull firewall!
fortunately for tcp the 5400 series has something you can use
look in
http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-K_13_01.pdf[established] ├в This option applies only where TCP is the
configured IP protocol type. It blocks the synchronizing packet
associated with establishing a TCP connection in one direction
on a VLAN while allowing all other IP traffic for the same type
of connection in the opposite direction. For example, a Telnet
connect requires TCP traffic to move both ways between a host
and the target device. Simply applying a Deny to inbound
Telnet traffic on a VLAN would prevent Telnet sessions in either
direction because responses to outbound requests would be
blocked. However, by using the established option, inbound
Telnet traffic arriving in response to outbound Telnet requests
would be permitted, but inbound Telnet traffic trying to establish
a connection would be denied.
< permit | deny > tcp
< SA > < src-acl-mask > [< operator > < port-id >]
< DA > < desti-acl-mask > [< operator > < port-id >] [log]
[ established ]
