Thanks Giuseppe -

I want to only allow port 23 into the LAN interface from the 172.20.38.0/24 subnet. These are wireless scanner guns that only need port 23.This subnet will be the only subnet that will enter this LAN interface. There is another LAN interface for another subnet for users that will not block any traffic.

Will applying this access list to the LAN interface in the in direction have any affect on other devices at HQ trying to connect to scanner guns at the 172.20.38.0/24 subnet?

What I am trying to say - will I only be affecting traffic that coming into the router on that interface and devices coming out of that interface(entering the 172.20.38.0/24 LAN) by allowed through using all protocols?

Also, is the established command allowing 172.20.38.0/24 traffic that is established from the HQ to come back into the LAN interface to get back to HQ? I'm trying not to be confusing.

Thank you.

Hello Pat,

>> Will applying this access list to the LAN interface in the in direction have any affect on other devices at HQ trying to connect to scanner guns at the 172.20.38.0/24 subnet?

Yes it has, this is the key point with the ACL that you would like to implement return traffic to HQ would be blocked unless matching the two ACL statements.

The question is that router ACL is stateless it does not discriminate between traffic flows started from HQ or from the branch IP subnet.

The use of the established keyword applies only to TCP flows and allows to permit TCP sessions that have been started from the HQ. It simply checks the TCP flags in the TCP header. It is a primitive form of stateful filtering.

>> Also, is the established command allowing 172.20.38.0/24 traffic that is established from the HQ to come back into the LAN interface to get back to HQ?

yes, this would be the idea

Hope to help

Giuseppe

Guiseppe -

So this will do what I want? This will permit port 23 only for 172.20.38.0/24 to specifically configured HQ devices and disallow all other traffic. And also, permit any HQ devices(not just the ones specified in the first 2 entries) to connect to 172.20.38.0/24 using any protocol?

Branch LAN interface----->interface FastEthernet0/0
                                        ip address 172.20.38.1 255.255.255.0
                                        ip access-group 101 in
                                        duplex auto
                                        speed auto
                                        end

                                      Branch#sh access-list
                                      Extended IP access list 101
                                              10 permit udp 172.20.38.0 0.0.0.255 host 172.20.8.211 eq 23
                                              20 permit udp 172.20.38.0 0.0.0.255 host 172.20.20.200 eq 23

                                              30 permit tcp 172.20.38.0 0.0.0.255 any established

        Could I also do this to make it a little tighter:

                                             30 permit tcp 172.20.38.0 0.0.0.255 host 172.20.8.211 established

                                             40 permit tcp 172.20.38.0 0.0.0.255 host 172.20.20.200 established

Thank you.