which way is out and in when looking at an access-list

Answered Question
Nov 11th, 2008
User Badges:

Hi


Just wonderinf if you can calrify something for me as I'm getting confused.


I have two access lists configured on a vlan like so:

vlan 20

ip access-group 140 in

ip access-group 139 out


If I have client "A" in vlan 20 and it wants to communicate with a server "B" in a remote location how do I write the access list to allow "A" to connect to port 3124 on "B" but allow any connections from "B" to "A".


Thanks

Dan

Correct Answer by Jon Marshall about 8 years 4 months ago

Dan


An access-list applied inbound on a vlan interface controls traffic coming FROM devices on that vlan.


An access-list applied outbound on a vlan interface controls traffic going TO devices on that vlan.


So


access-list 101 permit tcp host host eq 3124 (note i've assumed port 3124 is TCP)


int vlan 20

ip access-group 101 in


If you want to allow any connections from B to A you could just not bother with an acl but assuming you need to filter other traffic


access-list 102 permit ip host host


int vlan 20

ip access-group 102 out


Edit - forgot to mention always remember there is an implicit "deny ip any any" at the end of any access-list so you may need to add other things to the acl examples given above.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 11/11/2008 - 09:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dan


An access-list applied inbound on a vlan interface controls traffic coming FROM devices on that vlan.


An access-list applied outbound on a vlan interface controls traffic going TO devices on that vlan.


So


access-list 101 permit tcp host host eq 3124 (note i've assumed port 3124 is TCP)


int vlan 20

ip access-group 101 in


If you want to allow any connections from B to A you could just not bother with an acl but assuming you need to filter other traffic


access-list 102 permit ip host host


int vlan 20

ip access-group 102 out


Edit - forgot to mention always remember there is an implicit "deny ip any any" at the end of any access-list so you may need to add other things to the acl examples given above.


Jon

dan_track Tue, 11/11/2008 - 11:22
User Badges:

Brilliant Jon,


Thanks for your help, cleared up a real problem. Don't know what I'd do without you!! :)


Thanks

Dan

Actions

This Discussion