02-20-2013 06:59 PM - edited 03-04-2019 07:05 PM
At the branch office we want to allow wireless handheld devices on network 172.20.38.0/24 to only access a couple of devices at HQ using port 23. But, we want all devices at HQ to reach wireless handheld devices on network 172.20.38.0/24 on any ports. Would this be the most efficient way to accomplis this.
Branch LAN interface----->interface FastEthernet0/0
ip address 172.20.38.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
end
Branch#sh access-list
Extended IP access list 101
10 permit udp 172.20.38.0 0.0.0.255 host 172.20.8.211 eq 23
20 permit udp 172.20.38.0 0.0.0.255 host 172.20.20.200 eq 23
Thank you, Pat.
02-21-2013 01:10 AM
Hello Pat,
the access-list you are proposing would block all other traffic from branch LAN IP subnet to HQ.
For TCP traffic you could try to use the keyword established in a third statement like
30 permit tcp 172.20.38.0 0.0.0.255 any established
For more granular control you would need CBAC (ip inspect statements) as you would like to allow sessions started from HQ side that is a typical stateful firewall feature.
Hope to help
Giuseppe
02-21-2013 03:33 AM
Thanks Giuseppe -
I want to only allow port 23 into the LAN interface from the 172.20.38.0/24 subnet. These are wireless scanner guns that only need port 23.This subnet will be the only subnet that will enter this LAN interface. There is another LAN interface for another subnet for users that will not block any traffic.
Will applying this access list to the LAN interface in the in direction have any affect on other devices at HQ trying to connect to scanner guns at the 172.20.38.0/24 subnet?
What I am trying to say - will I only be affecting traffic that coming into the router on that interface and devices coming out of that interface(entering the 172.20.38.0/24 LAN) by allowed through using all protocols?
Also, is the established command allowing 172.20.38.0/24 traffic that is established from the HQ to come back into the LAN interface to get back to HQ? I'm trying not to be confusing.
Thank you.
02-21-2013 06:04 AM
Hello Pat,
>> Will applying this access list to the LAN interface in the in direction have any affect on other devices at HQ trying to connect to scanner guns at the 172.20.38.0/24 subnet?
Yes it has, this is the key point with the ACL that you would like to implement return traffic to HQ would be blocked unless matching the two ACL statements.
The question is that router ACL is stateless it does not discriminate between traffic flows started from HQ or from the branch IP subnet.
The use of the established keyword applies only to TCP flows and allows to permit TCP sessions that have been started from the HQ. It simply checks the TCP flags in the TCP header. It is a primitive form of stateful filtering.
>> Also, is the established command allowing 172.20.38.0/24 traffic that is established from the HQ to come back into the LAN interface to get back to HQ?
yes, this would be the idea
Hope to help
Giuseppe
02-21-2013 06:48 AM
Guiseppe -
So this will do what I want? This will permit port 23 only for 172.20.38.0/24 to specifically configured HQ devices and disallow all other traffic. And also, permit any HQ devices(not just the ones specified in the first 2 entries) to connect to 172.20.38.0/24 using any protocol?
Branch LAN interface----->interface FastEthernet0/0
ip address 172.20.38.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
end
Branch#sh access-list
Extended IP access list 101
10 permit udp 172.20.38.0 0.0.0.255 host 172.20.8.211 eq 23
20 permit udp 172.20.38.0 0.0.0.255 host 172.20.20.200 eq 23
30 permit tcp 172.20.38.0 0.0.0.255 any established
Could I also do this to make it a little tighter:
30 permit tcp 172.20.38.0 0.0.0.255 host 172.20.8.211 established
40 permit tcp 172.20.38.0 0.0.0.255 host 172.20.20.200 established
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide