Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Microsoft specific ACL to one server from multiple subnets

I'm trying to implement an extended ACL to allow more than one subnet to access a single Microsoft server (10.10.12.1) that is on a seperate subnet. I was thinking of implementing the following ACL in the outbound direction on the 10.10.12.0/24 (server facing) interface:

access-list 101 permit udp any range netbios-ns netbios-ss host 10.10.12.1

access-list 101 permit tcp any host 10.10.12.1 eq 139

access-list 101 permit icmp any host 10.10.12.1 echo

But I want to stop any other nodes (except the server) on the 10.10.12.0/24 subnet from sending any data back or making connections outside of this subnet.

So the inbound access-list will be:

access-list 102 permit udp host 10.10.12.1 range netbios-ns netbios-ss any

access-list 102 permit tcp host 10.10.12.1 any eq 139

access-list 102 permit icmp host 10.10.12.1 any echo

Three thing I don't understand:

1. How does ARP work on an interface with an ACL applied to the inbound direction . Is there a specific protocol for ARP requests or would I need to put the following at the front of the inbound ACL?

access-list 102 permit ip host 10.10.12.1 host 10.10.12.254 <- router IP #

2. Is it worth putting a ' permit tcp any any established' line at the front of each of the ACLs

3. Is it worth applying the inbound list if I have already limited access by the outbound list and leave off the 'established' line.

I will be putting specific entries in for each of the subnets but thought I'd keep the ACLs short in this post by using 'any'.

Thanks for any advice

1 REPLY
Silver

Re: Microsoft specific ACL to one server from multiple subnets

when you give the default route as one of the interfaces of pix, the ARP

request broadcast will be for the destination IP address;

97
Views
0
Helpful
1
Replies
CreatePlease login to create content