We have about 30 small branch offices (ie the spoke) that are connected back to the data centre (ie the hub),
each via leased line.
There are 2 services that we would like to restrict to each of the branches (ie don't want the Tcp port accessible
elsewhere in the corporate & not accessible between the branches) & the services listens on Tcp 8000 & 8222.
If I want to apply ACLs on each branch's WAN router to block the 2 TCP ports from being reachable, should the
ACL be applied on the WAN router's LAN interface (ie facing the branch's LAN) or the router's serial interface
(facing the leased line towards the datacentre)?
Can correct/review my suggested extended ACL below? Assuming a.b.c.d is the IP address of the branch's
1st server listening on Tcp8000 & e.f.g.h is the IP of the 2nd server listening on Tcp8222
Assuming it's applied on the LAN/ethernet interface of the router, I think (but do correct me), it looks like:
ip access-group 102 in [or should it be 'out' ?]
access-list 102 deny tcp any any eq 8000 log
access-list 102 deny tcp any any eq 8222 log
access-list 102 permit ip any any
What if it's applied on the serial interface, how does the ACL looks like?