I keep trying to set an ACL rule up to deny and drop packets directed towards a specific LAN IP destination and I've tried to no prevail.
I know the submask needs to be inverse, and I believe I've setup all the rules correctly what I'm basically trying to accomplish is allowing this machine to access the internet through the switch.
But not allow it to access the rest of the LAN or allow the LAN to access it essentially locking it out of the LAN entirely.
Attempting to block access to the specific LAN address from the rest of the LAN on any TCP port.
I've tried using the Mask 255.255.255.255 for the destination then I read that things needed to be inverse which is where 0.0.0.0 came in and it doesn't seem to matter how I re-configured the specifications.
The switch never drops/denies the packets going to the specified LAN Address.
The reasoning behind locking this machine out from the rest of the network in the switch it's self rather then software would be the fact that it's a windows 2000 machine and is needed for certain legacy software.
However windows 2000 is no longer supported by Microsoft and in-such makes this machine a vulnerability on the local network and I don't want an intruder to be able to reach this machine simply by being on a machine in the network connected to the switch.
And likewise if this machine were to be compromised I don't want it having access to the rest of the network either.
If I were to use a software firewall on it to block connections to it, it wouldn't be of much use if the system it's self was to be compromised...
Any tips on this?, or any reason why this ACL setup wouldn't work?
I know the submask needs to be inverse, and I believe I've setup all the rules correctly what I'm basically trying to accomplish is allowing this machine to access the internet through the switch.
But not allow it to access the rest of the LAN or allow the LAN to access it essentially locking it out of the LAN entirely.
Attempting to block access to the specific LAN address from the rest of the LAN on any TCP port.
I've tried using the Mask 255.255.255.255 for the destination then I read that things needed to be inverse which is where 0.0.0.0 came in and it doesn't seem to matter how I re-configured the specifications.
The switch never drops/denies the packets going to the specified LAN Address.
The reasoning behind locking this machine out from the rest of the network in the switch it's self rather then software would be the fact that it's a windows 2000 machine and is needed for certain legacy software.
However windows 2000 is no longer supported by Microsoft and in-such makes this machine a vulnerability on the local network and I don't want an intruder to be able to reach this machine simply by being on a machine in the network connected to the switch.
And likewise if this machine were to be compromised I don't want it having access to the rest of the network either.
If I were to use a software firewall on it to block connections to it, it wouldn't be of much use if the system it's self was to be compromised...
Any tips on this?, or any reason why this ACL setup wouldn't work?
Code:
(GSM7248V2) >show ip access-lists 100
ACL ID: 100
Rule Number: 1
Action......................................... deny
Match All...................................... FALSE
Protocol....................................... 6(tcp)
Source IP Address.............................. 192.168.0.0
Source IP Mask................................. 0.0.255.255
Destination IP Address......................... 192.168.1.123
Destination IP Mask............................ 0.0.0.0
TCP Flags...................................... FIN (Ignore)
SYN (Ignore)
RST (Ignore)
PSH (Ignore)
ACK (Ignore)
URG (Ignore)
Assign Queue................................... 0