Network Access Lists

Is it possible (natively to windows) to create an IP based access list? That
is allow only certain other IP based machines to see this PC on my network.
Kind of like a VLAN.

For example I want the PC to have an address of 10.1.1.1 and only allow PC's
with IP 10.1.1.2 and 10.1.1.3 to communicate.

Hi Mike,

Yes it is possbile...

Here is how (and it is the same for Windows Server 2003).

How to use IPSec IP filter lists in Windows 2000
http://support.microsoft.com/kb/313190

--
Mike
Microsoft MVP - Windows Security

"Mike" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Is it possible (natively to windows) to create an IP based access list?
> That is allow only certain other IP based machines to see this PC on my
> network. Kind of like a VLAN.
>
> For example I want the PC to have an address of 10.1.1.1 and only allow
> PC's with IP 10.1.1.2 and 10.1.1.3 to communicate.
>
>
>

Hi Mike,

I did try that before posting but it didn't work.

NOTE: If you assign this policy, all traffic is allowed because there is no
Deny rule that prevents other traffic. If you want to only allow traffic
that you specified in the above policy, you must create a Deny rule that
denies all traffic.

Are you sure that line is true? Is there an order to which rules are
applied?

Regards,
Mike.


"Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi Mike,
>
> Yes it is possbile...
>
> Here is how (and it is the same for Windows Server 2003).
>
> How to use IPSec IP filter lists in Windows 2000
> http://support.microsoft.com/kb/313190
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Mike" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> Is it possible (natively to windows) to create an IP based access list?
>> That is allow only certain other IP based machines to see this PC on my
>> network. Kind of like a VLAN.
>>
>> For example I want the PC to have an address of 10.1.1.1 and only allow
>> PC's with IP 10.1.1.2 and 10.1.1.3 to communicate.
>>
>>
>>
>
>

The article shows general process of creating rules. So if you want to
filter specific traffic -- put in deny rule...

No -- there is no rule order. System will process all allow rules first
until it hits a deny...

--
Mike
Microsoft MVP - Windows Security

"Mike" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Mike,
>
> I did try that before posting but it didn't work.
>
> NOTE: If you assign this policy, all traffic is allowed because there is
> no Deny rule that prevents other traffic. If you want to only allow
> traffic that you specified in the above policy, you must create a Deny
> rule that denies all traffic.
>
> Are you sure that line is true? Is there an order to which rules are
> applied?
>
> Regards,
> Mike.
>
>
> "Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hi Mike,
>>
>> Yes it is possbile...
>>
>> Here is how (and it is the same for Windows Server 2003).
>>
>> How to use IPSec IP filter lists in Windows 2000
>> http://support.microsoft.com/kb/313190
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Mike" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>
>>> Is it possible (natively to windows) to create an IP based access list?
>>> That is allow only certain other IP based machines to see this PC on my
>>> network. Kind of like a VLAN.
>>>
>>> For example I want the PC to have an address of 10.1.1.1 and only allow
>>> PC's with IP 10.1.1.2 and 10.1.1.3 to communicate.
>>>
>>>
>>>
>>
>>
>
>