11-16-2007 08:50 PM - edited 03-05-2019 07:28 PM
Hi there ,
I have an issue , on creating a birectional acces-list .
For example :
1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25
1.1.1.1 255.255.255.0 25 2.2.2.2 255.255.255.0
Is access-list correct , can it been done in this way rather then ,
1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25
2.2.2.2 255.255.255.0 1.1.1.1 255.255.255.0 25
Any advice ...
11-17-2007 06:05 AM
Hi
Depends on what you are trying to do.
The first example says:
allow host 1.1.1.1 on any port to access host 2.2.2.2 on port 25
allow host 1.1.1.1 using port 25 to access any port on host 2.2.2.2
Second example says
allow host 1.1.1.1 on any port to access 2.2.2.2 on port 25
allow host 2.2.2.2 on any port to access 1.1.1.1 on port 25
They are not the same thing and the direction you apply the access-list in would make a difference.
Are these router or firewall access-lists ?.
Assuming router there are a couple of things missing eg.
1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25
1.1.1.1 is a host address but you have used a subnet mask of 255.255.255.0
You haven't specified whether port 25 is tcp or udp.
You need an "eq" before the port number.
The masks if used on a router need to be inverse.
Jon
11-17-2007 04:21 PM
Thanks Jon , for your kind help .
The requirement is from the server to host , and the host to the server communications need
to be enabled - bidirectional . The server is 2.2.2.2 on the port 25 .
If this is the requirement , do you mean the first example is correct .
If I need to create an access-list for a server . Means a server to host and the host to server , bidirectional . This is a router's access-list . Sorry for the missing syntax's .How do I create .... Please advice .
11-18-2007 01:31 AM
ip access-list extended server-host
pemit tcp host 1.1.1.1 host 2.2.2.2 eq 25
permit ip host 2.2.2.2 host 1.1.1.1
The 1st permit statement is for permitting host to access server on port 25 (assuming its a tcp port)
The 2nd permit statement is for allowing traffic from sever to host. Permit ip indicates any traffic from server to host is permitted. if u hv a specific req for server to fwd traffic on specific port, u may replace ip with tcp/udp & in last add the port.
Pls rate if helped.
11-18-2007 04:19 AM
Thanks Narayana,
Just a question on the second statement.
Permit ip host 2.2.2.2 host 1.1.1.1 , does it mean , it will permit tcp 25 traffic .
Regards
11-18-2007 06:30 AM
"permit ip" mean any traffic from server to host. If u want server to return traffic to host on port 25 then use this:
permit tcp host 2.2.2.2 host 1.1.1.1 eq 25
(replace the 2nd line of acl with this line)
This may be the case when both server & host are communicating on port 25.
pls rate if helped.
11-19-2007 03:53 AM
Hi thanks again ,
I think , I will put this statement , since it's permitting all the traffic .
permit ip host 2.2.2.2 host 1.1.1.1
I found another way of creating the access-list . Is the statement below is correct .
permit tcp host 1.1.1.1 host 2.2.2.2 eq 25
permit tcp host 1.1.1.1 eq 25 host 2.2.2.2
birecdirectonal also , I believe.
11-19-2007 06:05 AM
no, its not a bidirectional acl. Both statements permit traffic from host 1.1.1.1 to host 2.2.2.2
Use the 1 I recommended:
ip access-list extended server-host
permit tcp host 2.2.2.2 host 1.1.1.1
permit tcp host 1.1.1.1 host 2.2.2.2 eq 25
Apply this on interface in both directions.
11-20-2007 03:23 AM
Hi Narayana,
Thanks I will put as what you have told me .
But
permit tcp host 1.1.1.1 host 2.2.2.2 eq 25
permit tcp host 1.1.1.1 eq 25 host 2.2.2.2
These statements means host 1.1.1.1 any port access 2.2.2.2 port 25
Second statement means host 1.1.1.1 on port 25 access any port on host 2.2.2.2
I think ,it will work .
Any suggestion ....
11-20-2007 09:49 AM
Ok, let me clarify.
permit tcp host 1.1.1.1 host 2.2.2.2 eq 25
This statement means that host 1.1.1.1 initiates communication with server 2.2.2.2 on port 25 i.e. destination port is 25(assuming 2.2.2.2 is server running smtp & nothing else).
permit tcp host 1.1.1.1 eq 25 host 2.2.2.2
This statement means, 1.1.1.1 initiates communication with server 2.2.2.2 but with source port 25.
Now if 1.1.1.1 is a normal client, then it may not have any application running on it on port 25. So the 2nd rule, which says initiate communication on src port 25 is useless. Pls note, well known ports are only used on servers.
Now lets take 1st statement. This is valid bcoz, client 1.1.1.1 iniates talk with server on port 25.
But the concern is, client has successfully initiated connection to server. But where are the rules, which says 2.2.2.2 should reply back to client. So, client initiates connection, waits for reply from server & then timeout.
So if acl's are applied on both ends i.e. src dest, then bidirectional rules are to be applied.
11-21-2007 06:12 AM
Thanks ,
I will try to put in the configurations .
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide