Cisco ACL for SOS Client

[midwest-ed]

Because of the sensitivity of the source code, our SourceOffSite clients all reside in an isolated segment. Packets moving in and out of this segment are controlled through a Cisco Router Access Control List (ACL).

An ACL does not maintain a state table the way a firewall would. Consequently, I need to define packet travel in both directions. So let’s assume that my SOS server is 10.1.1.1 and my SOS client is 10.2.2.2 and we are communicating encrypted over port 8081.

I would think the packet travel from SOS server to the client would be defined on the router as:

access-list 101 permit tcp host 10.2.2.2 eq 8081 host 10.1.1.1

and my packet traffic from the SOS client to the server would be:

access-list 102 permit tcp host 10.1.1.1 host 10.2.2.2 eq 8081

But no luck. Do you know if anyone has setup Cisco ACL Lists for SOS? Does either side reply using a random port or do all source and destination packets use tcp port 8081?

[lbauer]

The server port remains the same, but the port on the Client machine usually changes with each connection. This appears to be controlled by Windows.

[sterwill]

When the client initiates a connection the SOS server, it binds to a random port on the client side (common behavior for TCP clients). The destination port will be 8081. This single socket connection is used for all communication; there is no connect-back or reconnect (like in FTP).

I don't know the Cisco ACL rule syntax, but it looks like you have the right idea. The firewall rules at SourceGear test that (for incoming) the dest port is 8081, and (for outgoing) the source port is 8081. We actually use a different port, but it would be the same traffic flow for any number.