Re: Access-List

Rupesh Kashyap · ‎08-05-2008

Hi,

I have Server 10.10.1.5/24. Desktops on network 10.10.5.0/24 should access all the application installed on the server. The services are using TCP and UDP ports.

If I will open IP any any in ACL and rest Deny. It will work or I have to open TCP and UDP also. Please help.

rais · ‎08-05-2008

IP any any ACL should do it. It covers all UDP/TCP ports.

Thanks.

Rupesh Kashyap · ‎08-05-2008

Thanks boss. I was confused as I have long list for TCP and UDP ports used by this server.

So my ACL should like-

# Permit IP 10.10.5.0 0.0.0.255 host 10.10.1.5

# Deny ip any any log

Rupesh Kashyap · ‎08-05-2008

Please reply if my above ACL is allowing TCP and UDP all ports..

rais · ‎08-05-2008

Yes, the config statements implementing above rules on server-side [in] interface should do it.

Thanks.

patrickvanham · ‎08-07-2008

Actually that statement should be on the interface towards the LAN as an inbound ACL. It will not work as intended on the interface towards the server as inbound ACL. Alternatively it could be an outbound ACL on the interface towards the server

However, an ACL like that will allow all IP traffic including some you may not want to allow

mohsin.khan · ‎08-07-2008

Rupesh, tcp and udp work on layer 4, and IP works on layer 3. So, IP is the combination (or the bigger box that contains tcp and udp). So if you allow IP, all 65536 tcp & udp ports are allowed in it.

sdoremus33 · ‎08-07-2008

ip any any will allow both TCP and UDP the scenario should work