Solved: Jon Yes I got it working - Page 2

chrislgicale · ‎02-11-2015

Good day,

I'm not expert in ACLs. I guess I'm within basic on it. My concern is, we have Head Office and Project Site. This two sites are connected via point-to-point leased line. Our data/voice (internet) is supplied by Head Office. Whenever, I input a listed port ACL in Project Site, the Head Office can still able to ping the project site but literally can access (i.e. folder sharing, remote/RDP). Here is the network details;

Head Office subnet 192.168.1.0 / 24

Project Site subnet 172.32.16.0 / 22

Extended IP access list 107
    10 permit tcp host 172.32.16.11 any
    20 permit tcp 172.32.16.0 0.0.3.255 any eq 4370
    30 permit tcp 172.32.16.0 0.0.3.255 any eq domain
    40 permit tcp 172.32.16.0 0.0.3.255 any eq 993
    50 permit tcp 172.32.16.0 0.0.3.255 any eq 995
    60 permit tcp 172.32.16.0 0.0.3.255 any eq 23399
    70 permit tcp 172.32.16.0 0.0.3.255 any eq 587
    80 permit tcp 172.32.16.0 0.0.3.255 any eq 445
    90 permit tcp 172.32.16.0 0.0.3.255 any eq 465
    100 permit tcp 172.32.16.0 0.0.3.255 any eq ftp
    110 permit tcp 172.32.16.0 0.0.3.255 any eq www
    120 permit tcp 172.32.16.0 0.0.3.255 any eq 443
    130 permit tcp 172.32.16.0 0.0.3.255 any eq 143
    140 permit tcp 172.32.16.0 0.0.3.255 any eq 389
    150 permit tcp 172.32.16.0 0.0.3.255 any eq 522
    160 permit tcp 172.32.16.0 0.0.3.255 any eq 636
    170 permit tcp 172.32.16.0 0.0.3.255 any eq 135
    180 permit tcp 172.32.16.0 0.0.3.255 any eq 3389
    190 permit tcp 172.32.16.0 0.0.3.255 any eq pop3
    200 permit tcp 172.32.16.0 0.0.3.255 any eq 5223
    210 permit tcp 172.32.16.0 0.0.3.255 any eq 9339
    220 permit tcp 172.32.16.0 0.0.3.255 any eq smtp
    230 permit tcp 172.32.16.0 0.0.3.255 any eq telnet
    240 permit tcp 172.32.16.0 0.0.3.255 any eq 5242
    250 permit tcp 172.32.16.0 0.0.3.255 any eq 4244
    260 permit tcp 172.32.16.0 0.0.3.255 any eq 5243
    270 permit tcp 172.32.16.0 0.0.3.255 any eq 9785
    280 permit tcp 172.32.16.0 0.0.3.255 any eq 1720
    290 permit tcp 172.32.16.0 0.0.3.255 any eq 1503
    300 permit tcp 172.32.16.0 0.0.3.255 any eq 1731
    310 permit tcp 172.32.16.0 0.0.3.255 any eq 1719
    320 permit tcp 172.32.16.0 0.0.3.255 any eq 2727
    330 permit tcp 172.32.16.0 0.0.3.255 any eq 2427
    340 permit tcp 172.32.16.0 0.0.3.255 any eq 2000
    350 permit tcp 172.32.16.0 0.0.3.255 any eq 5060
    360 deny tcp 172.32.16.0 0.0.3.255 any
    370 permit ip any any

Whenever I implement the "ip access-group 107 in" on the Project Site. Head Office literally block their access, except the ping. Although, we have not indicate their subnet to be block, it looks like they're block.

Appreciate any inputs. Thanks!

Chris

chrislgicale · ‎02-15-2015

Jon

Yes I got it working perfectly. I will just consider it on UDP as well.

Thanks for sharing :)

Chris

ACL in blocks the other side (WAN)