Bidirectional Access-List

Unanswered Question

Hi there ,

I have an issue , on creating a birectional acces-list .

For example :

1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25

1.1.1.1 255.255.255.0 25 2.2.2.2 255.255.255.0

Is access-list correct , can it been done in this way rather then ,

1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25

2.2.2.2 255.255.255.0 1.1.1.1 255.255.255.0 25

Any advice ...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (5 ratings)
Loading.
Jon Marshall Sat, 11/17/2007 - 06:05

Hi

Depends on what you are trying to do.

The first example says:

allow host 1.1.1.1 on any port to access host 2.2.2.2 on port 25

allow host 1.1.1.1 using port 25 to access any port on host 2.2.2.2

Second example says

allow host 1.1.1.1 on any port to access 2.2.2.2 on port 25

allow host 2.2.2.2 on any port to access 1.1.1.1 on port 25

They are not the same thing and the direction you apply the access-list in would make a difference.

Are these router or firewall access-lists ?.

Assuming router there are a couple of things missing eg.

1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25

1.1.1.1 is a host address but you have used a subnet mask of 255.255.255.0

You haven't specified whether port 25 is tcp or udp.

You need an "eq" before the port number.

The masks if used on a router need to be inverse.

Jon

Thanks Jon , for your kind help .

The requirement is from the server to host , and the host to the server communications need

to be enabled - bidirectional . The server is 2.2.2.2 on the port 25 .

If this is the requirement , do you mean the first example is correct .

If I need to create an access-list for a server . Means a server to host and the host to server , bidirectional . This is a router's access-list . Sorry for the missing syntax's .How do I create .... Please advice .

bvsnarayana03 Sun, 11/18/2007 - 01:31

ip access-list extended server-host

pemit tcp host 1.1.1.1 host 2.2.2.2 eq 25

permit ip host 2.2.2.2 host 1.1.1.1

The 1st permit statement is for permitting host to access server on port 25 (assuming its a tcp port)

The 2nd permit statement is for allowing traffic from sever to host. Permit ip indicates any traffic from server to host is permitted. if u hv a specific req for server to fwd traffic on specific port, u may replace ip with tcp/udp & in last add the port.

Pls rate if helped.

bvsnarayana03 Sun, 11/18/2007 - 06:30

"permit ip" mean any traffic from server to host. If u want server to return traffic to host on port 25 then use this:

permit tcp host 2.2.2.2 host 1.1.1.1 eq 25

(replace the 2nd line of acl with this line)

This may be the case when both server & host are communicating on port 25.

pls rate if helped.

Hi thanks again ,

I think , I will put this statement , since it's permitting all the traffic .

permit ip host 2.2.2.2 host 1.1.1.1

I found another way of creating the access-list . Is the statement below is correct .

permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

permit tcp host 1.1.1.1 eq 25 host 2.2.2.2

birecdirectonal also , I believe.

bvsnarayana03 Mon, 11/19/2007 - 06:05

no, its not a bidirectional acl. Both statements permit traffic from host 1.1.1.1 to host 2.2.2.2

Use the 1 I recommended:

ip access-list extended server-host

permit tcp host 2.2.2.2 host 1.1.1.1

permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

Apply this on interface in both directions.

Hi Narayana,

Thanks I will put as what you have told me .

But

permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

permit tcp host 1.1.1.1 eq 25 host 2.2.2.2

These statements means host 1.1.1.1 any port access 2.2.2.2 port 25

Second statement means host 1.1.1.1 on port 25 access any port on host 2.2.2.2

I think ,it will work .

Any suggestion ....

bvsnarayana03 Tue, 11/20/2007 - 09:49

Ok, let me clarify.

permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

This statement means that host 1.1.1.1 initiates communication with server 2.2.2.2 on port 25 i.e. destination port is 25(assuming 2.2.2.2 is server running smtp & nothing else).

permit tcp host 1.1.1.1 eq 25 host 2.2.2.2

This statement means, 1.1.1.1 initiates communication with server 2.2.2.2 but with source port 25.

Now if 1.1.1.1 is a normal client, then it may not have any application running on it on port 25. So the 2nd rule, which says initiate communication on src port 25 is useless. Pls note, well known ports are only used on servers.

Now lets take 1st statement. This is valid bcoz, client 1.1.1.1 iniates talk with server on port 25.

But the concern is, client has successfully initiated connection to server. But where are the rules, which says 2.2.2.2 should reply back to client. So, client initiates connection, waits for reply from server & then timeout.

So if acl's are applied on both ends i.e. src dest, then bidirectional rules are to be applied.

Actions

This Discussion