where to apply access-list

Answered Question
May 14th, 2010
User Badges:

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).


No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.


access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any


The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.


Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?


Thanks

PeiWai

Correct Answer by Jon Marshall about 7 years 2 weeks ago

leepeiwai wrote:


I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).


No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.


access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any


The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.


Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?


Thanks

PeiWai


Pei


Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.


Jon

Correct Answer by Ganesh Hariharan about 7 years 2 weeks ago

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).


No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.


access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any


The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.


Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?


Thanks

PeiWai

Hi PeiWai,


For your requirement  with the flow i would say apply the acl in indrection on port FA(0/0)


webservr ---FA0/1(R1)--FA0/0 --- Host


Apply in FA(0/0) in in direction .


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Ganesh Hariharan Fri, 05/14/2010 - 03:38
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).


No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.


access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any


The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.


Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?


Thanks

PeiWai

Hi PeiWai,


For your requirement  with the flow i would say apply the acl in indrection on port FA(0/0)


webservr ---FA0/1(R1)--FA0/0 --- Host


Apply in FA(0/0) in in direction .


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

Correct Answer
Jon Marshall Fri, 05/14/2010 - 03:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

leepeiwai wrote:


I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).


No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.


access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any


The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.


Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?


Thanks

PeiWai


Pei


Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.


Jon

leepeiwai Fri, 05/14/2010 - 03:49
User Badges:

Thanks Jon and Ganesh


ps. my name is Peiwai not Pei

Jon Marshall Fri, 05/14/2010 - 03:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

leepeiwai wrote:


Thanks Jon and Ganesh


ps. my name is Peiwai not Pei


Peiwai, apologies for getting name wrong.


Jon

Actions

This Discussion

Related Content