Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACL config question

*Please look at the attached pic for a visual of the question*

I have two subnets:

192.168.1.0/24 - main network

192.168.10.0/24 - restricted App server

The 192.168.10.0 subnet only has one server on it (App) that needs very strict access to it. Only a handful of IPs from the 192.168.1.0 subnet are allowed to access the App server on specific ports. However I need for the App server to use 192.168.1.1 for DNS services.

I'm a bit confused as to how to write the ACL statements to allow this. Would it be:

permit udp host 192.168.10.1 host 192.168.1.1 eq 53

or

permit udp host 192.168.1.1 host 192.168.10.1 eq 53

I'm just confused about which is the 'source' and which is the 'destination'. I know this is an easy one so sorry for the simple question.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ACL config question

ur application server is starting the request. So it is the source IMO not DNS server.

In terms of ACL, if you want to deny TCP from source 172.16.4.0 to destination 172.16.3.0 on port 21

then you write

deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

3 REPLIES
Silver

Re: ACL config question

first u define source and then destination

looks like this is correct i think

permit udp host 192.168.10.1 host 192.168.1.1 eq 53

Community Member

Re: ACL config question

So in this case the DNS server is the 'source' and the App server is the 'destination'? Even though the App server is making the DNS request?

Sorry but I'm used to dealing with ACLs on firewalls where the interfaces have security levels so things are a bit easier, IMO.

Silver

Re: ACL config question

ur application server is starting the request. So it is the source IMO not DNS server.

In terms of ACL, if you want to deny TCP from source 172.16.4.0 to destination 172.16.3.0 on port 21

then you write

deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

92
Views
0
Helpful
3
Replies
CreatePlease to create content