Solution:
For a Dial In client to communicate to a host on the LAN, it must be able to send and recieve data.
Two filters will have to be created, one to permit data sent to the LAN host and one to permit data recieved from the LAN host. Then configure the Perle to deny communication to all other hosts.
This is achieved by:
- Add a new filter. Set the Action as Accept, with Source address blank and Destination address as the LAN host. Leave the filter mask at 255.255.255.255 and Protocol to none.
- Add another filter. Set the Action as Accept, with Source address as the LAN host and Destination address blank. Leave the filter mask at 255.255.255.255 and Protocol to none.
- Then add both filters to the assignment list and set the Default Action as Deny.
With this filter arrangement, all TCP/IP packets going to the Destination and all TCP/IP packets recieved by the Source will be permitted.
All other packets are denied.
On the 833IS the configuration file will appear as this example:
!
ip access-list extended from
permit ip host 1.2.3.4 any
!
ip access-list extended to
permit ip any host 1.2.3.4
As soon as the packet matches one of the filters, then the packet is accpeted or rejected and no further checking is done. If the packet does not match any assigned filters, then the default action will be carried out.
The packet address is logically AND to the filter mask and compared to the filter address AND filter mask.
Example:
10.6.0.0 && 255.255.0.0 =
00001010.00000110.00000000.00000000
11111111.11111111.00000000.00000000
=
00001010.00000110.00000000.00000000
10.6.135.165 && 255.255.0.0 =
00001010.00000110.10000111.10100101
11111111.11111111.00000000.00000000
=
00001010.00000110.00000000.00000000
after the Filter Mask both address are equal
10.36.99.235 && 255.255.0.0 =
00001010.00100100.01100011.11101011
11111111.11111111.00000000.00000000
=
00001010.00100100.00000000.00000000
after the Filter Mask this is not equal