I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).
No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.
access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any
The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.
Should I apply access list 128 on 
Fa0/1 outbound OR Fa0/0 inbound ?
Thanks
PeiWai

Hi PeiWai,

For your requirement  with the flow i would say apply the acl in indrection on port FA(0/0)

webservr ---FA0/1(R1)--FA0/0 --- Host

Apply in FA(0/0) in in direction .

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

leepeiwai wrote:
I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).
No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.
access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any
The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.
Should I apply access list 128 on 
Fa0/1 outbound OR Fa0/0 inbound ?
Thanks
PeiWai

Pei

Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.

Jon