Configure Router ACL Settings
This section is only applicable if a firewall or a router exists in front of
the MFA in the facility network.
Give this information to the facility IT team or the network design
team for this configuration.
The Network must be configured to allow the below mentioned
protocols and ports in the specified directions, irrespective of the
variant of router or firewall present on the network.
.
Service Functional
Need
Communication Partner Protocols Port Direction
(relative to
the device
Source
network
Source
device/IP
address
Desitination
Network
Destination
device/IP
address
TCP, UDP,
etc.
SBX Data Sent
to Cloud
Facility
Network
Any Internet Any TCP 443 Bidirectional
DNS URL
address
lookup
Facility
Network
Any Internet Any TCP 53 Bidirectional
DNS URL
address
lookup
Facility
Network
Any Internet Any UDP 53 Bidirectional
PING Facility
Network
Any Internet Any ICMP ICMP Bidirectional
The below example illustrates the entries required for Cisco 2901
Router. In case any other router is used then these entries might
change however the above principle remains the same.
• INBOUND (ip access-list extended ENinbound)
• permit tcp any any eq 443
• permit udp any any reflect enin timeout 300
• permit tcp any any eq domain
• permit icmp any any
• OUTBOUND ( ip access-list extended ENoutbound)
• evaluate enin
• permit tcp any any eq 443
• permit tcp any any eq domain
• permit udp any any eq domain
• permit icmp any any
Note
2094532-001 D 02 2018 37
To Next Page
Loading...
Need help?
General
