Bidirectional Access-List

Unanswered Question

Hi there ,

I have an issue , on creating a birectional acces-list .

For example : 25 25

Is access-list correct , can it been done in this way rather then , 25 25

Any advice ...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (5 ratings)
Jon Marshall Sat, 11/17/2007 - 06:05


Depends on what you are trying to do.

The first example says:

allow host on any port to access host on port 25

allow host using port 25 to access any port on host

Second example says

allow host on any port to access on port 25

allow host on any port to access on port 25

They are not the same thing and the direction you apply the access-list in would make a difference.

Are these router or firewall access-lists ?.

Assuming router there are a couple of things missing eg. 25 is a host address but you have used a subnet mask of

You haven't specified whether port 25 is tcp or udp.

You need an "eq" before the port number.

The masks if used on a router need to be inverse.


Thanks Jon , for your kind help .

The requirement is from the server to host , and the host to the server communications need

to be enabled - bidirectional . The server is on the port 25 .

If this is the requirement , do you mean the first example is correct .

If I need to create an access-list for a server . Means a server to host and the host to server , bidirectional . This is a router's access-list . Sorry for the missing syntax's .How do I create .... Please advice .

bvsnarayana03 Sun, 11/18/2007 - 01:31

ip access-list extended server-host

pemit tcp host host eq 25

permit ip host host

The 1st permit statement is for permitting host to access server on port 25 (assuming its a tcp port)

The 2nd permit statement is for allowing traffic from sever to host. Permit ip indicates any traffic from server to host is permitted. if u hv a specific req for server to fwd traffic on specific port, u may replace ip with tcp/udp & in last add the port.

Pls rate if helped.

bvsnarayana03 Sun, 11/18/2007 - 06:30

"permit ip" mean any traffic from server to host. If u want server to return traffic to host on port 25 then use this:

permit tcp host host eq 25

(replace the 2nd line of acl with this line)

This may be the case when both server & host are communicating on port 25.

pls rate if helped.

Hi thanks again ,

I think , I will put this statement , since it's permitting all the traffic .

permit ip host host

I found another way of creating the access-list . Is the statement below is correct .

permit tcp host host eq 25

permit tcp host eq 25 host

birecdirectonal also , I believe.

bvsnarayana03 Mon, 11/19/2007 - 06:05

no, its not a bidirectional acl. Both statements permit traffic from host to host

Use the 1 I recommended:

ip access-list extended server-host

permit tcp host host

permit tcp host host eq 25

Apply this on interface in both directions.

Hi Narayana,

Thanks I will put as what you have told me .


permit tcp host host eq 25

permit tcp host eq 25 host

These statements means host any port access port 25

Second statement means host on port 25 access any port on host

I think ,it will work .

Any suggestion ....

bvsnarayana03 Tue, 11/20/2007 - 09:49

Ok, let me clarify.

permit tcp host host eq 25

This statement means that host initiates communication with server on port 25 i.e. destination port is 25(assuming is server running smtp & nothing else).

permit tcp host eq 25 host

This statement means, initiates communication with server but with source port 25.

Now if is a normal client, then it may not have any application running on it on port 25. So the 2nd rule, which says initiate communication on src port 25 is useless. Pls note, well known ports are only used on servers.

Now lets take 1st statement. This is valid bcoz, client iniates talk with server on port 25.

But the concern is, client has successfully initiated connection to server. But where are the rules, which says should reply back to client. So, client initiates connection, waits for reply from server & then timeout.

So if acl's are applied on both ends i.e. src dest, then bidirectional rules are to be applied.


This Discussion