Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
205
Views
0
Helpful
1
Replies

Acces-List Process-Urgent Help-Please

mmtantawi
Level 1
Level 1

‎09-23-2006 07:10 AM

Dear All,

My question here in this forum , in the Process of :-

1- Which Interface should I apply this Access-list ?

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

Now, My question is here :-

Was I correct in choosing the Interface that I will apply this Access-list or not ?

Please read my Process of choosing the Interface, and tell me if I am correct or Not ?

=========================================

I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-

1. Fast Ethernet 0 / 0 :-

Description : connected to My Network as MY LAN .

IP Address of this Interface : 192.168.1.10 / 255.255.255.0

2. Fast Ethernet 0 /1 :-

Description : connected to Second Network on second Building.

IP Address of this Interface : 172.16.20.10 / 255.255.0.0

3. Serial Interface ( S 0 ).

Description : connected to My Server Farm which is in another Network

IP Address of this interface : 10.1.8.20 / 255.255.255.0.

> No any serial interface or any serial connection at all on my 1841 Route.

> The Default route on My Router is

> IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20

Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.

As anyone knows, its an Extended Access List.

So I wrote it like that:-

Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp

Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3

Router(config)# access-list 102 permit ip any any

Process of choosing the interface :-

1- Which Interface should I apply this Access-list ?

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

To answer and to understand the answer, for the 2 questions, here is my Process :-

First Interface f 0 / 0 :-

< this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.

Second Interface f 0 / 1 :-

< this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.

Third Interface S0:-

Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.

So, final answer will be as following :-

1- Which Interface should I apply this Access-list ?

( Serial / 0 ) .

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

( Outbound ) .

Was I correct or not ? please some one is update me.

Labels:
0 Helpful
1 Reply 1

gpulos
Level 8
Level 8

‎09-25-2006 11:08 AM

your 102 access list is not completely correct. try the following and apply it to the interface 'outbound' where the packet flows from to get to the destination.

(ACL should be placed as close to the source as possible)

access-list 102 deny tcp host 192.168.1.40 host 10.1.8.40 eq smtp

access-list 102 deny tcp host 192.168.1.40 host 10.1.8.40 eq pop3

access-list 102 permit ip any any

0 Helpful
Customers Also Viewed These Support Documents