Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bidirectional Access-List

Hi there ,

I have an issue , on creating a birectional acces-list .

For example :

1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25

1.1.1.1 255.255.255.0 25 2.2.2.2 255.255.255.0

Is access-list correct , can it been done in this way rather then ,

1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25

2.2.2.2 255.255.255.0 1.1.1.1 255.255.255.0 25

Any advice ...

10 REPLIES
Hall of Fame Super Blue

Re: Bidirectional Access-List

Hi

Depends on what you are trying to do.

The first example says:

allow host 1.1.1.1 on any port to access host 2.2.2.2 on port 25

allow host 1.1.1.1 using port 25 to access any port on host 2.2.2.2

Second example says

allow host 1.1.1.1 on any port to access 2.2.2.2 on port 25

allow host 2.2.2.2 on any port to access 1.1.1.1 on port 25

They are not the same thing and the direction you apply the access-list in would make a difference.

Are these router or firewall access-lists ?.

Assuming router there are a couple of things missing eg.

1.1.1.1 255.255.255.0 2.2.2.2 255.255.255.0 25

1.1.1.1 is a host address but you have used a subnet mask of 255.255.255.0

You haven't specified whether port 25 is tcp or udp.

You need an "eq" before the port number.

The masks if used on a router need to be inverse.

Jon

New Member

Re: Bidirectional Access-List

Thanks Jon , for your kind help .

The requirement is from the server to host , and the host to the server communications need

to be enabled - bidirectional . The server is 2.2.2.2 on the port 25 .

If this is the requirement , do you mean the first example is correct .

If I need to create an access-list for a server . Means a server to host and the host to server , bidirectional . This is a router's access-list . Sorry for the missing syntax's .How do I create .... Please advice .

Re: Bidirectional Access-List

ip access-list extended server-host

pemit tcp host 1.1.1.1 host 2.2.2.2 eq 25

permit ip host 2.2.2.2 host 1.1.1.1

The 1st permit statement is for permitting host to access server on port 25 (assuming its a tcp port)

The 2nd permit statement is for allowing traffic from sever to host. Permit ip indicates any traffic from server to host is permitted. if u hv a specific req for server to fwd traffic on specific port, u may replace ip with tcp/udp & in last add the port.

Pls rate if helped.

New Member

Re: Bidirectional Access-List

Thanks Narayana,

Just a question on the second statement.

Permit ip host 2.2.2.2 host 1.1.1.1 , does it mean , it will permit tcp 25 traffic .

Regards

Re: Bidirectional Access-List

"permit ip" mean any traffic from server to host. If u want server to return traffic to host on port 25 then use this:

permit tcp host 2.2.2.2 host 1.1.1.1 eq 25

(replace the 2nd line of acl with this line)

This may be the case when both server & host are communicating on port 25.

pls rate if helped.

New Member

Re: Bidirectional Access-List

Hi thanks again ,

I think , I will put this statement , since it's permitting all the traffic .

permit ip host 2.2.2.2 host 1.1.1.1

I found another way of creating the access-list . Is the statement below is correct .

permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

permit tcp host 1.1.1.1 eq 25 host 2.2.2.2

birecdirectonal also , I believe.

Re: Bidirectional Access-List

no, its not a bidirectional acl. Both statements permit traffic from host 1.1.1.1 to host 2.2.2.2

Use the 1 I recommended:

ip access-list extended server-host

permit tcp host 2.2.2.2 host 1.1.1.1

permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

Apply this on interface in both directions.

New Member

Re: Bidirectional Access-List

Hi Narayana,

Thanks I will put as what you have told me .

But

permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

permit tcp host 1.1.1.1 eq 25 host 2.2.2.2

These statements means host 1.1.1.1 any port access 2.2.2.2 port 25

Second statement means host 1.1.1.1 on port 25 access any port on host 2.2.2.2

I think ,it will work .

Any suggestion ....

Re: Bidirectional Access-List

Ok, let me clarify.

permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

This statement means that host 1.1.1.1 initiates communication with server 2.2.2.2 on port 25 i.e. destination port is 25(assuming 2.2.2.2 is server running smtp & nothing else).

permit tcp host 1.1.1.1 eq 25 host 2.2.2.2

This statement means, 1.1.1.1 initiates communication with server 2.2.2.2 but with source port 25.

Now if 1.1.1.1 is a normal client, then it may not have any application running on it on port 25. So the 2nd rule, which says initiate communication on src port 25 is useless. Pls note, well known ports are only used on servers.

Now lets take 1st statement. This is valid bcoz, client 1.1.1.1 iniates talk with server on port 25.

But the concern is, client has successfully initiated connection to server. But where are the rules, which says 2.2.2.2 should reply back to client. So, client initiates connection, waits for reply from server & then timeout.

So if acl's are applied on both ends i.e. src dest, then bidirectional rules are to be applied.

New Member

Re: Bidirectional Access-List

Thanks ,

I will try to put in the configurations .

Regards

3437
Views
15
Helpful
10
Replies
CreatePlease to create content