1 Reply Latest reply on Apr 5, 2013 1:02 PM by noor

    Firewall - Allow access for subnet

    jgard New Member

      Hello All,

       

      I'm still trying to pick up on the ACL structure of the Adtran. Can someone help me with the commands that are needed to allow 10.7.54.0/25 request to 10.7.60.0/22. I've tried a few things, but somehow end up allowing all traffic.

       

      Any help is appreciated,

        • Re: Firewall - Allow access for subnet
          Employee

          jgard - There are essentially three steps when adding an allow rule to an already existent firewall configuration in AOS:

           

          First, you must create an access-list that will match traffic you want to allow. In your case this access-list would look something like this:

           

          ip access-list extended TEST

               permit ip 10.7.54.0 255.255.255.128 10.7.60.0 255.255.252.0

           

          Second, you must add this rule to the policy that is assigned to the interface where this traffic will be coming into. Based on your configuration, this would be the policy-class Private that is assigned to interface eth 0/1.1

           

          ip policy-class Private

              allow list TEST

           

          It is important to keep in mind that order matters. You want your most selective rule at the top and your broader rules at the bottom. A packet will check for a match on the policy-class going top to bottom, so if it finds a match, the rules at the bottom will not be checked.

           

          The policy-class Private should look like this:

          ip policy-class Private

              allow list TEST

              allow list self self

              nat source list wizard-ics interface eth 0/2 overload

           

          In the GUI, you can simply rearrange the rules in the order you want. However, in the CLI, you will need to delete the rules in the policy-class, and re-add them in the order you want.

           

          I hope this answers your question, but please do not hesitate to let us know if you have any further questions.

           

          Thanks,

          Noor