1 Reply Latest reply on Feb 21, 2013 1:16 PM by levi

    Source Address List in ACL

    xucraig New Member

      Is it possible to create source address lists (and destination address lists) to call in an ACL?

       

      For example, let's say I need to allow ports 389 and 25 from a list of spam service IP addresses.  Right now, I'd create two different ACLs:

       

      ip access-list extended spam-ldap

      permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 389

      permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 389

      permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 389

       

      ip access-list extended spam-smtp

      permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 25

      permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 25

      permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 25

       

      ip policy-class Public

      nat destination list spam-ldap address 10.10.10.10

      nat destination list spam-smtp address 10.10.10.11

       

      From reading the documentation, I see I can set my source/destination based on any, host, ip/mask, and hostname.  What I'm wondering is if it's possible to create a list of all of those IPs and then call that ip-list in my ACL.  Something like (I obviously made this up to illustrate my point; I know the commands below don't exist):

       

      ip-list spam-list

      xxx.xxx.xxx.xxx 0.0.0.255

      yyy.yyy.yyy.yyy 0.0.0.255

      zzz.zzz.zzz.zzz 0.0.0.255

       

      ip access-list extended spam-ldap

      permit tcp list spam-list any eq 389

       

      ip access-list extended spam-smtp

      permit tcp list spam-list any eq 25


      ip policy-class Public

      nat destination list spam-ldap address 10.10.10.10

      nat destination list spam-smtp address 10.10.10.11


      That way, if the IP addresses need to be updated, it only has to be updated in one place (the list), rather than each ACL individually.


      Is there a way to accomplish my goal?


      Thanks in advance

      craig

        • Re: Source Address List in ACL
          levi Employee

          xucraig:

           

          Thank you for posting this question in the support community.  That is a very clever idea, and I understand what you are attempting to accomplish, but unfortunately, ADTRAN does not support a feature like that, currently.  I would recommend you reach out to your local partner, regional sales manager, and/or sales engineer to submit a feature request for this application.

           

          For the specific case you listed above, one way to change this to make it more manageable would be to combine the ACLs into a single entry, as follows:

           

          ip access-list extended ACL-NAME

            permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 389

            permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 389

            permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 389

            permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 25

            permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 25

            permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 25

          !

          ip policy-class Public

            nat destination list ACL-NAME address 10.10.10.10

            nat destination list ACL-NAME address 10.10.10.11


          Then if you need to make changes to the IPs, you can do it in a single ACL.  Again, I understand that is not what you are requesting, but that is a way you could make the changes in a single location, for this particular example.


          Please, do not hesitate to reply to this post with any questions or additional information.  I will be happy to help in any way I can.


          Levi