where to apply access-list

Answered Question
May 14th, 2010

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 8 months ago

leepeiwai wrote:

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Pei

Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.

Jon

Correct Answer by Ganesh Hariharan about 6 years 8 months ago

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Hi PeiWai,

For your requirement  with the flow i would say apply the acl in indrection on port FA(0/0)

webservr ---FA0/1(R1)--FA0/0 --- Host

Apply in FA(0/0) in in direction .

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Ganesh Hariharan Fri, 05/14/2010 - 03:38

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Hi PeiWai,

For your requirement  with the flow i would say apply the acl in indrection on port FA(0/0)

webservr ---FA0/1(R1)--FA0/0 --- Host

Apply in FA(0/0) in in direction .

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Correct Answer
Jon Marshall Fri, 05/14/2010 - 03:43

leepeiwai wrote:

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Pei

Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.

Jon

Jon Marshall Fri, 05/14/2010 - 03:54

leepeiwai wrote:

Thanks Jon and Ganesh

ps. my name is Peiwai not Pei

Peiwai, apologies for getting name wrong.

Jon

Actions

This Discussion

Related Content