Hi,
I am not overly experienced with Cisco configurations although have done about a dozen basic configs to Qwest and Worldcomm. The current problem has me a bit baffled. Wee are setting up a router with two Ethernet interfaces between two local area networks, call them A and B. LAN A has very sensitive data on it, and thus must block traffic from LAN B except for database ports 1583, 3351 and 3352 (Pervasive SQL). LAN A can access anything from LAN B and beyond. So I started looking at access lists. LAN A uses access list 100 while LAN B uses 101. For the purposes of this discussion there is one machine on the LAN A side at 192.168.15.10. For testing purposes, I run a continuous ping from the LAN B to the LAN A machine, while testing various combinations of access list. BTW, the router is a 2504. Without access lists, the LAN A machine can see LAN B and the internet beyond and LAN B can ping the machine on LAN A.
Start of test - run ping from LAN B which reaches .10 machine
access-list 100 permit ip any any
no access-list 101
Result - traffic flows both ways
access-list 101 deny 192.168.15.9 0.0.0.0 any
Result - traffic stops both ways (note diff ip addr)
In fact, any combination including specifying ports kills
any traffic
access-list 100 deny 192.168.15.10 any
Result - traffic continues normally
This seems to contradict what I have read so far. Any insight would be greatly appreciated.
Regards,
John
I am not overly experienced with Cisco configurations although have done about a dozen basic configs to Qwest and Worldcomm. The current problem has me a bit baffled. Wee are setting up a router with two Ethernet interfaces between two local area networks, call them A and B. LAN A has very sensitive data on it, and thus must block traffic from LAN B except for database ports 1583, 3351 and 3352 (Pervasive SQL). LAN A can access anything from LAN B and beyond. So I started looking at access lists. LAN A uses access list 100 while LAN B uses 101. For the purposes of this discussion there is one machine on the LAN A side at 192.168.15.10. For testing purposes, I run a continuous ping from the LAN B to the LAN A machine, while testing various combinations of access list. BTW, the router is a 2504. Without access lists, the LAN A machine can see LAN B and the internet beyond and LAN B can ping the machine on LAN A.
Start of test - run ping from LAN B which reaches .10 machine
access-list 100 permit ip any any
no access-list 101
Result - traffic flows both ways
access-list 101 deny 192.168.15.9 0.0.0.0 any
Result - traffic stops both ways (note diff ip addr)
In fact, any combination including specifying ports kills
any traffic
access-list 100 deny 192.168.15.10 any
Result - traffic continues normally
This seems to contradict what I have read so far. Any insight would be greatly appreciated.
Regards,
John