I'm trying to implement an extended ACL to allow more than one subnet to access a single Microsoft server (10.10.12.1) that is on a seperate subnet. I was thinking of implementing the following ACL in the outbound direction on the 10.10.12.0/24 (server facing) interface:
access-list 101 permit udp any range netbios-ns netbios-ss host 10.10.12.1
access-list 101 permit tcp any host 10.10.12.1 eq 139
access-list 101 permit icmp any host 10.10.12.1 echo
But I want to stop any other nodes (except the server) on the 10.10.12.0/24 subnet from sending any data back or making connections outside of this subnet.
So the inbound access-list will be:
access-list 102 permit udp host 10.10.12.1 range netbios-ns netbios-ss any
access-list 102 permit tcp host 10.10.12.1 any eq 139
access-list 102 permit icmp host 10.10.12.1 any echo
Three thing I don't understand:
1. How does ARP work on an interface with an ACL applied to the inbound direction . Is there a specific protocol for ARP requests or would I need to put the following at the front of the inbound ACL?
access-list 102 permit ip host 10.10.12.1 host 10.10.12.254 <- router IP #
2. Is it worth putting a ' permit tcp any any established' line at the front of each of the ACLs
3. Is it worth applying the inbound list if I have already limited access by the outbound list and leave off the 'established' line.
I will be putting specific entries in for each of the subnets but thought I'd keep the ACLs short in this post by using 'any'.
Thanks for any advice