ACL config question

Answered Question
Dec 19th, 2008
User Badges:

*Please look at the attached pic for a visual of the question*


I have two subnets:


192.168.1.0/24 - main network

192.168.10.0/24 - restricted App server


The 192.168.10.0 subnet only has one server on it (App) that needs very strict access to it. Only a handful of IPs from the 192.168.1.0 subnet are allowed to access the App server on specific ports. However I need for the App server to use 192.168.1.1 for DNS services.


I'm a bit confused as to how to write the ACL statements to allow this. Would it be:


permit udp host 192.168.10.1 host 192.168.1.1 eq 53


or


permit udp host 192.168.1.1 host 192.168.10.1 eq 53


I'm just confused about which is the 'source' and which is the 'destination'. I know this is an easy one so sorry for the simple question.



Correct Answer by viyuan700 about 8 years 7 months ago

ur application server is starting the request. So it is the source IMO not DNS server.


In terms of ACL, if you want to deny TCP from source 172.16.4.0 to destination 172.16.3.0 on port 21


then you write

deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
viyuan700 Fri, 12/19/2008 - 11:54
User Badges:
  • Silver, 250 points or more

first u define source and then destination

looks like this is correct i think


permit udp host 192.168.10.1 host 192.168.1.1 eq 53


qbakies11 Fri, 12/19/2008 - 11:58
User Badges:

So in this case the DNS server is the 'source' and the App server is the 'destination'? Even though the App server is making the DNS request?


Sorry but I'm used to dealing with ACLs on firewalls where the interfaces have security levels so things are a bit easier, IMO.

Correct Answer
viyuan700 Fri, 12/19/2008 - 12:17
User Badges:
  • Silver, 250 points or more

ur application server is starting the request. So it is the source IMO not DNS server.


In terms of ACL, if you want to deny TCP from source 172.16.4.0 to destination 172.16.3.0 on port 21


then you write

deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21



Actions

This Discussion