cancel
Showing results for 
Search instead for 
Did you mean: 

ACL to allow traffic to specified ports on a subnet

ACL to allow traffic to specified ports on a subnet

Rich6
New Contributor II
I have a situation where I need to restrict traffic from a specified client subnet to another server subnet. I have done this by creating a blanket deny between subnets which works fine.

I now need to allow traffic between the same two subnets but only for a specific port number.

I cannot seem to get this to function. The policy check commands come back as passed OK.

When the blanket deny between subnets is removed I can access the port I need to from the client subnet.

I have included examples from my ACL below and the "allow" is above the "deny" in the ACL.

entry Allow_server_to_client {
if {
source-address aaa.bbb.0.0/16; (client)
protocol tcp;
destination-address ccc.ddd.195.0/24; (server)
destination-port 13087;
}
then {
permit;
}
}

entry Deny_server_to_client {
if match all {
source-address aaa.bbb.0.0/16 ;
destination-address ccc.ddd.0.0/16 ;
}
then {
deny ;
}
}

4 REPLIES 4

Rich6
New Contributor II
Thanks Simon for your help 🙂

cheers

Rich6
New Contributor II
All

I had been doing a policy check and refresh without success.... What I did find is that specifying "if match all" seemed to do the trick. I have no idea why as by default (apparantly) "if match all" is implied. Either way I got it going but thanks for the replies.

cheers

Rich

simon_bingham
New Contributor II
Have you refreshed the policy ?
refresh policy

simon_bingham
New Contributor II
Try "if match all" on the first expression as well

I honestly cannot remember the default on XOS

GTM-P2G8KFN