this is my network topology diagram:
Networks that are outlined in the bottom are actually vlans 10, 20, 30, 40, 50
defined on switches S1 and S3.
The routers R3 and R2 for the network have subinterfaces fa0/1.10, 20, 30, 40, 50 for vlans 10, 20, 30, 40, 50.
I'm working on access lists for router r3.
I want to permit access on port 2016 from host 192.168.2.2 to 192.168.1.2,
and on port 2014 from host 192.168.1.2 to host 192.168.2.2.
This is what I have so far:
Extended IP access list 100
10 permit tcp host 192.168.2.2 host 192.168.1.2 eq 2016 (38 matches)
20 permit tcp host 192.168.2.2 host 192.168.1.2 eq 2016 established
30 permit icmp any any (17 matches)
Extended IP access list 101
10 permit tcp host 192.168.1.2 host 192.168.2.2 eq 2014 (3 matches)
20 permit tcp host 192.168.1.2 host 192.168.2.2 eq 2014 established
30 permit icmp any any (6 matches)
I applied them with following commands:
int fa0/1.30
ip access-group 100 in
int fa0/1.20
ip access-group 101 in
I tested it with netcat and found it does not work.
Best Answer
ACL's on routers are not state-full as on Firewall's. What this means is that you need rules to allow traffic in both directions.
TCP connections uses a well known port on the server side and normally selects a random port for the source of the connection.
Your requirements.
Your Setup
ACL's:
Notes: Remember that the return traffic will also traverse the ACL on the interface where it enters.