I'm trying to implement an extended ACL to allow more than one subnet to access a single Microsoft server (10.10.12.1) that is on a seperate subnet. I was thinking of implementing the following ACL in the outbound direction on the 10.10.12.0/24 (server facing) interface:

access-list 101 permit udp any range netbios-ns netbios-ss host 10.10.12.1

access-list 101 permit tcp any host 10.10.12.1 eq 139

access-list 101 permit icmp any host 10.10.12.1 echo

But I want to stop any other nodes (except the server) on the 10.10.12.0/24 subnet from sending any data back or making connections outside of this subnet.

So the inbound access-list will be:

access-list 102 permit udp host 10.10.12.1 range netbios-ns netbios-ss any

access-list 102 permit tcp host 10.10.12.1 any eq 139

access-list 102 permit icmp host 10.10.12.1 any echo

Three thing I don't understand:

1. How does ARP work on an interface with an ACL applied to the inbound direction . Is there a specific protocol for ARP requests or would I need to put the following at the front of the inbound ACL?

access-list 102 permit ip host 10.10.12.1 host 10.10.12.254 <- router IP #

2. Is it worth putting a ' permit tcp any any established' line at the front of each of the ACLs

3. Is it worth applying the inbound list if I have already limited access by the outbound list and leave off the 'established' line.

I will be putting specific entries in for each of the subnets but thought I'd keep the ACLs short in this post by using 'any'.

Thanks for any advice