cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jgard
New Contributor

Firewall - Allow access for subnet

Jump to solution

Hello All,

I'm still trying to pick up on the ACL structure of the Adtran. Can someone help me with the commands that are needed to allow 10.7.54.0/25 request to 10.7.60.0/22. I've tried a few things, but somehow end up allowing all traffic.

Any help is appreciated,

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Firewall - Allow access for subnet

Jump to solution

- There are essentially three steps when adding an allow rule to an already existent firewall configuration in AOS:

First, you must create an access-list that will match traffic you want to allow. In your case this access-list would look something like this:

ip access-list extended TEST

     permit ip 10.7.54.0 255.255.255.128 10.7.60.0 255.255.252.0

Second, you must add this rule to the policy that is assigned to the interface where this traffic will be coming into. Based on your configuration, this would be the policy-class Private that is assigned to interface eth 0/1.1

ip policy-class Private

    allow list TEST

It is important to keep in mind that order matters. You want your most selective rule at the top and your broader rules at the bottom. A packet will check for a match on the policy-class going top to bottom, so if it finds a match, the rules at the bottom will not be checked.

The policy-class Private should look like this:

ip policy-class Private

    allow list TEST

    allow list self self

    nat source list wizard-ics interface eth 0/2 overload

In the GUI, you can simply rearrange the rules in the order you want. However, in the CLI, you will need to delete the rules in the policy-class, and re-add them in the order you want.

I hope this answers your question, but please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

View solution in original post

0 Kudos
1 Reply
Anonymous
Not applicable

Re: Firewall - Allow access for subnet

Jump to solution

- There are essentially three steps when adding an allow rule to an already existent firewall configuration in AOS:

First, you must create an access-list that will match traffic you want to allow. In your case this access-list would look something like this:

ip access-list extended TEST

     permit ip 10.7.54.0 255.255.255.128 10.7.60.0 255.255.252.0

Second, you must add this rule to the policy that is assigned to the interface where this traffic will be coming into. Based on your configuration, this would be the policy-class Private that is assigned to interface eth 0/1.1

ip policy-class Private

    allow list TEST

It is important to keep in mind that order matters. You want your most selective rule at the top and your broader rules at the bottom. A packet will check for a match on the policy-class going top to bottom, so if it finds a match, the rules at the bottom will not be checked.

The policy-class Private should look like this:

ip policy-class Private

    allow list TEST

    allow list self self

    nat source list wizard-ics interface eth 0/2 overload

In the GUI, you can simply rearrange the rules in the order you want. However, in the CLI, you will need to delete the rules in the policy-class, and re-add them in the order you want.

I hope this answers your question, but please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

0 Kudos