ACL - Blocking IP

hi there..
refer to the attached diagram

Uploaded with ImageShack.us

ACL Rules at router 1

!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.1 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ********* Close LAN **************
ip address 192.168.0.126 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
!
static route
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 172.16.20.0 255.255.255.0 172.16.10.1
ip route 172.16.21.0 255.255.255.0 172.16.10.1
ip route 172.16.22.0 255.255.255.0 172.16.10.1
ip route 172.16.30.0 255.255.255.0 10.1.1.2
ip route 172.16.31.0 255.255.255.0 10.1.1.2
ip route 172.16.32.0 255.255.255.0 10.1.1.2

Gi 0/0
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

Gi 0/1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any

ACL Rules at router 2

!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.5 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ******* Close LAN **********
ip address 192.168.0.254 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
ACL
Gi 0/0
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

Gi 0/1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any

Question

I want to make network 1 & network 2 separated each other... User that using 172.16.x.y cannot access / ping to user that using ip 192.168.0.x /24....Network 1 can access to the internet but network 2 just access local application which is private to network 1.

I already configured my both router with above ACL but user at network 1 at branch still can ping to interface Gi 0/1 at both router 1 and router 2.

Is it because of ACL rules? How to correct it?

Please advice.

Thanks

apit,

The diagram was extremely useful.

Try the following configuration:

Router 1 - HQ
Deny access between networks

interface gig0/0
ip access-group 100 in


access-list 100 remark [Deny 172.16.0.0/16 to 192.168.0.0/24]
access-list 100 deny 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 100 permit 172.16.0.0 0.0.255.255 any


inter gig0/1
ip access-group 101 in

access-list 101 remark [Deny 192.168.0.0/24 to 172.16.0.0/16]
access-list 101 deny 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit 192.168.0.0 0.0.0.255 any


The same logic follows your branch network.

At this point I need to make a note that for both networks there seems to be something missing in the diagrams as your hosts are in multiple networks which are not part of the local interface on gig 0/0.

I'm assuming there's a layer-3 switch in there?

In any case, use the extended access lists as provided and they should cover your whole 172.16.X range.

Try the above and let us know of your results.

p.s I assume there is no internal NAT happening in the 'cloud' of Network1.

Good luck!

Router 1 - HQ
Deny access between networks

interface gig0/0
ip access-group 100 in


access-list 100 remark [Deny 172.16.0.0/16 to 192.168.0.0/24]
access-list 100 deny 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 100 permit 172.16.0.0 0.0.255.255 any

inter gig0/1
ip access-group 101 in

access-list 101 remark [Deny 192.168.0.0/24 to 172.16.0.0/16]
access-list 101 deny 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit 192.168.0.0 0.0.0.255 any

Chris,

Do we need to "deny 172.16.0.0 0.0.255.255" at Gi 0/0 and then permit it again ? Same thing with Gi 0/1...Do we need to "Deny 192.168.0.0 0.0.0.255" and permit it again?

I already apply the above config at router 2...User at network 2 that using ip's 172.16.30.10/24 still can PING to Gi 0/1 at router 1& router 2.

Is it because of static route configuration (ip route 0.0.0.0 0.0.0.0 10.1.1.1) ?

At this point I need to make a note that for both networks there seems to be something missing in the diagrams as your hosts are in multiple networks which are not part of the local interface on gig 0/0.

I'm assuming there's a layer-3 switch in there?

For network 1, there are a core switch sitting after the Gi 0/0 and then 10 unit of distribution switches connect to the core switch. Access switches are connected to every distribution switch. It's a 3 layer design.

For network 2, there is one unit layer 2 switch connected to Gi 0/1. The connection is only from router interface (Gi 0/1) to layer 2 switch.

The same design goes to branch location.

In any case, use the extended access lists as provided and they should cover your whole 172.16.X range.

Chris,
Standard ACL cannot cover the whole range of IP?

p.s I assume there is no internal NAT happening in the 'cloud' of Network1.

Yup...there is no NAT configuration for both network..

Router 1 - HQ
Deny access between networks

interface gig0/0
ip access-group 100 in


access-list 100 remark [Deny 172.16.0.0/16 to 192.168.0.0/24]
access-list 100 deny 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 100 permit 172.16.0.0 0.0.255.255 any


inter gig0/1
ip access-group 101 in

access-list 101 remark [Deny 192.168.0.0/24 to 172.16.0.0/16]
access-list 101 deny 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit 192.168.0.0 0.0.0.255 any

Chris,

Thanks for the rules... Actually it's my mistake...Everything running smoothly using above rules..

Thanks again Chris & a very apologizes for my wrong implimentation ..

interface gig0/0

access-list 100 remark [Deny 172.16.0.0/16 to 192.168.0.0/24]
access-list 100 deny 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 100 permit 172.16.0.0 0.0.255.255 any

Chris,

I think for "access-list 100 permit 172.16.0.0 0.0.255.255 any" have to configure it to "access-list 100 permit ip any any"...

If using "access-list 100 permit 172.16.0.0 0.0.255.255 any" , i just can access local application only but unable to connect to internet..