ACL to allow traffic to specified ports on a subnet

  • 0
  • 2
  • Question
  • Updated 8 months ago
  • Answered
I have a situation where I need to restrict traffic from a specified client subnet to another server subnet.  I have done this by creating a blanket deny between subnets which works fine.

I now need to allow traffic between the same two subnets but only for a specific port number.

I cannot seem to get this to function. The policy check commands come back as passed OK.

When the blanket deny between subnets is removed I can access the port I need to from the client subnet.

I have included examples from my ACL below and the "allow" is above the "deny" in the ACL.



entry Allow_server_to_client {
    if {
        source-address aaa.bbb.0.0/16; (client)
        protocol tcp;
        destination-address ccc.ddd.195.0/24; (server)
        destination-port 13087;
       }
    then {
        permit;
}
}

entry Deny_server_to_client {
if match all {
    source-address aaa.bbb.0.0/16 ;
    destination-address ccc.ddd.0.0/16 ;
}
then {
    deny  ;
}
}
Photo of Rich

Rich

  • 230 Points 100 badge 2x thumb

Posted 8 months ago

  • 0
  • 2
Photo of simon bingham

simon bingham

  • 1,228 Points 1k badge 2x thumb
Try  "if match all"  on the first expression as well 

I honestly cannot remember the default on XOS
Photo of simon bingham

simon bingham

  • 1,228 Points 1k badge 2x thumb
Have you refreshed the policy ? 
 refresh policy  <name>
Photo of Rich

Rich

  • 230 Points 100 badge 2x thumb
All

I had been doing a policy check and refresh without success....  What I did find is that specifying "if match all" seemed to do the trick.  I have no idea why as by default (apparantly) "if match all" is implied.  Either way I got it going but thanks for the replies.

cheers

Rich
Photo of Rich

Rich

  • 230 Points 100 badge 2x thumb
Thanks Simon for your help :-)

cheers