The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Source Address List in ACL

Jump to solution

Is it possible to create source address lists (and destination address lists) to call in an ACL?

For example, let's say I need to allow ports 389 and 25 from a list of spam service IP addresses.  Right now, I'd create two different ACLs:

ip access-list extended spam-ldap

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 389

permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 389

permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 389

ip access-list extended spam-smtp

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 25

permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 25

permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 25

ip policy-class Public

nat destination list spam-ldap address 10.10.10.10

nat destination list spam-smtp address 10.10.10.11

From reading the documentation, I see I can set my source/destination based on any, host, ip/mask, and hostname.  What I'm wondering is if it's possible to create a list of all of those IPs and then call that ip-list in my ACL.  Something like (I obviously made this up to illustrate my point; I know the commands below don't exist):

ip-list spam-list

xxx.xxx.xxx.xxx 0.0.0.255

yyy.yyy.yyy.yyy 0.0.0.255

zzz.zzz.zzz.zzz 0.0.0.255

ip access-list extended spam-ldap

permit tcp list spam-list any eq 389

ip access-list extended spam-smtp

permit tcp list spam-list any eq 25


ip policy-class Public

nat destination list spam-ldap address 10.10.10.10

nat destination list spam-smtp address 10.10.10.11


That way, if the IP addresses need to be updated, it only has to be updated in one place (the list), rather than each ACL individually.


Is there a way to accomplish my goal?


Thanks in advance

craig

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Source Address List in ACL

Jump to solution

:

Thank you for posting this question in the support community.  That is a very clever idea, and I understand what you are attempting to accomplish, but unfortunately, ADTRAN does not support a feature like that, currently.  I would recommend you reach out to your local partner, regional sales manager, and/or sales engineer to submit a feature request for this application.

For the specific case you listed above, one way to change this to make it more manageable would be to combine the ACLs into a single entry, as follows:

ip access-list extended ACL-NAME

  permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 389

  permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 389

  permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 389

  permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 25

  permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 25

  permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 25

!

ip policy-class Public

  nat destination list ACL-NAME address 10.10.10.10

  nat destination list ACL-NAME address 10.10.10.11


Then if you need to make changes to the IPs, you can do it in a single ACL.  Again, I understand that is not what you are requesting, but that is a way you could make the changes in a single location, for this particular example.


Please, do not hesitate to reply to this post with any questions or additional information.  I will be happy to help in any way I can.


Levi

View solution in original post

0 Kudos
1 Reply
Anonymous
Not applicable

Re: Source Address List in ACL

Jump to solution

:

Thank you for posting this question in the support community.  That is a very clever idea, and I understand what you are attempting to accomplish, but unfortunately, ADTRAN does not support a feature like that, currently.  I would recommend you reach out to your local partner, regional sales manager, and/or sales engineer to submit a feature request for this application.

For the specific case you listed above, one way to change this to make it more manageable would be to combine the ACLs into a single entry, as follows:

ip access-list extended ACL-NAME

  permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 389

  permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 389

  permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 389

  permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq 25

  permit tcp yyy.yyy.yyy.yyy 0.0.0.255 any eq 25

  permit tcp zzz.zzz.zzz.zzz 0.0.0.255 any eq 25

!

ip policy-class Public

  nat destination list ACL-NAME address 10.10.10.10

  nat destination list ACL-NAME address 10.10.10.11


Then if you need to make changes to the IPs, you can do it in a single ACL.  Again, I understand that is not what you are requesting, but that is a way you could make the changes in a single location, for this particular example.


Please, do not hesitate to reply to this post with any questions or additional information.  I will be happy to help in any way I can.


Levi

0 Kudos