Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Microsoft specific ACL to one server from multiple subnets

I'm trying to implement an extended ACL to allow more than one subnet to access a single Microsoft server ( that is on a seperate subnet. I was thinking of implementing the following ACL in the outbound direction on the (server facing) interface:

access-list 101 permit udp any range netbios-ns netbios-ss host

access-list 101 permit tcp any host eq 139

access-list 101 permit icmp any host echo

But I want to stop any other nodes (except the server) on the subnet from sending any data back or making connections outside of this subnet.

So the inbound access-list will be:

access-list 102 permit udp host range netbios-ns netbios-ss any

access-list 102 permit tcp host any eq 139

access-list 102 permit icmp host any echo

Three thing I don't understand:

1. How does ARP work on an interface with an ACL applied to the inbound direction . Is there a specific protocol for ARP requests or would I need to put the following at the front of the inbound ACL?

access-list 102 permit ip host host <- router IP #

2. Is it worth putting a ' permit tcp any any established' line at the front of each of the ACLs

3. Is it worth applying the inbound list if I have already limited access by the outbound list and leave off the 'established' line.

I will be putting specific entries in for each of the subnets but thought I'd keep the ACLs short in this post by using 'any'.

Thanks for any advice


Re: Microsoft specific ACL to one server from multiple subnets

when you give the default route as one of the interfaces of pix, the ARP

request broadcast will be for the destination IP address;

CreatePlease login to create content