Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list Process-Urgent Help Please

Dear All,

My question here in this forum , in the Process of :-

1- Which Interface should I apply this Access-list ?

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

Now, My question is here :-

Was I correct in choosing the Interface that I will apply this Access-list or not ?

Please read my Process of choosing the Interface, and tell me if I am correct or Not ?

I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-

1. Fast Ethernet 0 / 0 :-

Description : connected to My Network as MY LAN .

IP Address of this Interface : 192.168.1.10 / 255.255.255.0

2. Fast Ethernet 0 /1 :-

Description : connected to Second Network on second Building.

IP Address of this Interface : 172.16.20.10 / 255.255.0.0

3. Serial Interface ( S 0 ).

Description : connected to My Server Farm which is in another Network

IP Address of this interface : 10.1.8.20 / 255.255.255.0.

> No any serial interface or any serial connection at all on my 1841 Route.

> The Default route on My Router is

> IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20

Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.

As anyone knows, its an Extended Access List.

So I wrote it like that:-

Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp

Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3

Router(config)# access-list 102 permit ip any any

Process of choosing the interface :-

1- Which Interface should I apply this Access-list ?

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

To answer and to understand the answer, for the 2 questions, here is my Process :-

First Interface f 0 / 0 :-

< this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.

Second Interface f 0 / 1 :-

< this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.

Third Interface S0:-

Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.

So, final answer will be as following :-

1- Which Interface should I apply this Access-list ?

( Serial / 0 ) .

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

( Outbound ) .

Was I correct or not ? please some one is update me.

2 REPLIES
Bronze

Re: Access-list Process-Urgent Help Please

HI

Ur solution is correct

U should place the ACL nearer to the destination because ur using extended ACL

Serial Interface ( S 0 ).

Place the ACL in out direction

Always rate the post..

HTH

Raj

Blue

Re: Access-list Process-Urgent Help Please

your 102 access list is not completely correct. try the following and apply it to the interface 'outbound' where the packet flows from to get to the destination.

(as close to the source as possible)

ie:

access-list 102 deny tcp host 192.168.1.40 host 10.1.8.40 eq smtp

access-list 102 deny tcp host 192.168.1.40 host 10.1.8.40 eq pop3

access-list 102 permit ip any any

i think it a better practice to put the ACL closest to the source as possible. why have traffic traverse all the links required to get to a destination, if at the destination, the traffic is going to be dropped?

(if you have a choice, the ACL should be placed as close to the source as possible)

(allow only traffic you want and deny traffic you don't want from the source. save the network resources for traffic that actually has to use them)

126
Views
0
Helpful
2
Replies
CreatePlease to create content