Application access control list ACL for one-way network access

In the enterprise network, the host or server of an important department in the network cannot be accessed by other departments, however, this department can access hosts or servers of other departments. We can use the access control list ACL to achieve single-direction access.Unidirectional accessFunction.

One-way access means that some network hosts can access other network hosts, but access is not allowed in turn. One-way access cannot be implemented simply by using the deny statement in the access control list ACL. The deny statement can completely block access data streams between hosts A and B, but cannot implement one-way access. If deny drops access from host A to host B, host B cannot access host A because access data from host B to host A can reach host, however, the response data stream of host A is blocked by the ACL Access Control List Rules ).

So how to implement one-way access? The answer is to use the permit statement. The permit statement allows host B to access the response data stream of host A while allowing host A to use the established parameter in the permit statement ), however, access from host A to host B is not allowed, so that one-way access from host B to host A can be achieved.

The basic configuration commands of the extended one-way Access Control List ACL are as follows:
Router (config) # access-list-number {permit | deny} protocol source-wildcard [operator port] destination-wildcard [operator port] [established] [log]
Parameter description:
Access-list-number: the number of the extended access control list ACL, such as 100
Permit | deny allowed or not allowed to pass
Protocol type, such as TCP/IP UDP.
Soure Source Address
Destination target address
Established connection
The established parameter allows established TCP data streams to pass through the ACK validation packet in the direction of rejecting data streams. We use this parameter to implement one-way access, convert a common extended access list ACL into a control list ACL that allows one-way access.

The configuration command for applying the extended access control list ACL on a vro interface is as follows:
Router (config) # ip access-group access-list-number in (usually in the forward direction)

Next we will use an ACL instance to see how to implement one-way access:
Network Environment assumption:
Department a cidr Block: Route S0: 192.168.0.1 E0: 10.98.0.1
Department B network segment: Route S0: 192.168.0.2 E0: 10.98.1.1
Host A and host B belong to two departments respectively.

The main configuration is as follows:
A route Configuration:
!
Interface eth0
Ip add 10.98.0.1 255.255.0.0
Interface s0
Ip add 192.168.0.1 255.255.255.0
Ip access-group 100 in
!
Ip route 10.98.1.0 255.255.0.0 s0
!
Access-list 100 permit tcp any host 10.98.0.1 established log
(This command allows the connection established in 10.98.0.1 to send data back)
Access-list 100 deny ip any log

B route Configuration:
!
Interface eth0
Ip add 10.98.1.1 255.255.0.0
!
Inter s0
Ip add 192.168.0.2 255.255.255.0
!
Ip route 10.98.0.1 255.255.0.0 s0

The access control list ACL restricts individual access between Department B and Department A. Department A can access the network host or server of department B, the host of department B cannot access the host of Department.

This article from the "Mu Xiaoqi blog" blog, please be sure to keep this source http://3088522.blog.51cto.com/3078522/1031959