Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Acl Question

I have a simple question

when we apply an acl to in interface does it mean it is allowed for outbound also in Firewall or router.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Acl Question

Hi

You apply ACL in which every direction you choose, ie

IOS

For inbound

access-group in

For outbound

access-group out

PIX/ASA/FWSM

For inbound

access-group in interface

For outbound

access-group out interface

7 REPLIES

Re: Acl Question

Hi

You apply ACL in which every direction you choose, ie

IOS

For inbound

access-group in

For outbound

access-group out

PIX/ASA/FWSM

For inbound

access-group in interface

For outbound

access-group out interface

Community Member

Re: Acl Question

Thx Adam

Community Member

Re: Acl Question

Sorry,

one for question

lets see I have FTP server in inside lan, i want inside users should access & also outside user should access.

what should be the ACL?

Re: Acl Question

I will need a bit more information for this.

1. Is this passive or active FTP

(A link of the difference's in case you are unsure

http://www.slacksite.com/other/ftp.html)

2. Does the FTP server have an public address or is NAT involved.

If the inside users are on the same subnet as the FTP server, then ACL's will not prevent access.

Community Member

Re: Acl Question

1. active

2. NAT

Inside users are in differnet subnet.

Re: Acl Question

This is IOS

I am guessing interface/ACL names, so just substitute with your own.

I am using 1.1.1.2 as the public IP of your FTP Server (used in your NAT)

I am also assuming you only have an ACL applied inbound on your 'outside' interface.

access-list outside_in permit tcp any host 1.1.1.2 eq 21

access-list outside_in permit tcp any host 1.1.1.1 eq 20

Fastethernet 0/0

ip address 1.1.1.1 255.255.255.0

ip access-group outside_in in

Apply a similar ACL with the IP address of your local subnet as the source.

Lets say the source of your local network is 192.168.1.0 255.255.255.0 and the internal address of your FTP server is 192.168.2.2.

Here is the ACL which goes on the interface belonging to subnet 192.168.2.0/24

access-list dmz_in permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 20

access-list dmz_in permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 21

fastEthernet 0/1

ip address 192.168.2.1 255.255.255.0

ip access-group dmz_in in

Did you need ASA, if so change the wildcard masks for subnets, ie

192.168.1.0 255.255.255.0 instead of 192.168.1.0 0.0.0.255

Community Member

Re: Acl Question

Thx Adam

191
Views
0
Helpful
7
Replies
CreatePlease to create content