So, at work we are moving from a flat network to a segmented one and I'm having trouble with the ACLs on the layer 3 switch. As of now I have traffic coming in through the ASA, then it gets pushed through the Firepower module, back to the ASA, then down to the Switch. The switch holds the VLANS that are 10 LAN, 20 DMZ, 30 TEST, and 99 Management. Then traffic goes to Nutanix Hosts where all the VMs live.
The problem I'm having is getting ACLs on the switch to work in only one direction. For example, I want The domain controllers in 10 to be accessible from the Test VMs in 30, but I dont want servers in 30 to be able to talk to anything else in 10 since 30 will be used to test new things. Here is what I have:
access-list 130 permit ip host 10.10.10.12 10.10.30.0 0.0.0.255
access-list 130 permit ip host 10.10.10.11 10.10.30.0 0.0.0.255
access-list 130 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
access-list 130 deny ip 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255
access-list 130 deny ip 10.10.99.0 0.0.0.255 10.10.30.0 0.0.0.255
access-list 130 permit ip any any
ip access-group 130 vlan 30 out 1
And Ive tried every combo of putting in on the inbound and outbound of vlan30 and 10. Just cant seem to get it right. It either allows everything or nothing.
No comments:
Post a Comment