I have a situation where I need to restrict traffic from a specified client subnet to another server subnet. I have done this by creating a blanket deny between subnets which works fine.
I now need to allow traffic between the same two subnets but only for a specific port number.
I cannot seem to get this to function. The policy check commands come back as passed OK.
When the blanket deny between subnets is removed I can access the port I need to from the client subnet.
I have included examples from my ACL below and the "allow" is above the "deny" in the ACL.
entry Allow_server_to_client {
if {
source-address aaa.bbb.0.0/16; (client)
protocol tcp;
destination-address ccc.ddd.195.0/24; (server)
destination-port 13087;
}
then {
permit;
}
}
entry Deny_server_to_client {
if match all {
source-address aaa.bbb.0.0/16 ;
destination-address ccc.ddd.0.0/16 ;
}
then {
deny ;
}
}
