03-05-2009 04:56 AM - edited 03-06-2019 04:24 AM
I have a simple question
when we apply an acl to in interface does it mean it is allowed for outbound also in Firewall or router.
Solved! Go to Solution.
03-05-2009 05:14 AM
Hi
You apply ACL in which every direction you choose, ie
IOS
For inbound
access-group
For outbound
access-group
PIX/ASA/FWSM
For inbound
access-group
For outbound
access-group
03-05-2009 05:14 AM
Hi
You apply ACL in which every direction you choose, ie
IOS
For inbound
access-group
For outbound
access-group
PIX/ASA/FWSM
For inbound
access-group
For outbound
access-group
03-05-2009 05:45 AM
Thx Adam
03-05-2009 05:49 AM
Sorry,
one for question
lets see I have FTP server in inside lan, i want inside users should access & also outside user should access.
what should be the ACL?
03-05-2009 06:29 AM
I will need a bit more information for this.
1. Is this passive or active FTP
(A link of the difference's in case you are unsure
http://www.slacksite.com/other/ftp.html)
2. Does the FTP server have an public address or is NAT involved.
If the inside users are on the same subnet as the FTP server, then ACL's will not prevent access.
03-05-2009 07:07 AM
1. active
2. NAT
Inside users are in differnet subnet.
03-05-2009 07:35 AM
This is IOS
I am guessing interface/ACL names, so just substitute with your own.
I am using 1.1.1.2 as the public IP of your FTP Server (used in your NAT)
I am also assuming you only have an ACL applied inbound on your 'outside' interface.
access-list outside_in permit tcp any host 1.1.1.2 eq 21
access-list outside_in permit tcp any host 1.1.1.1 eq 20
Fastethernet 0/0
ip address 1.1.1.1 255.255.255.0
ip access-group outside_in in
Apply a similar ACL with the IP address of your local subnet as the source.
Lets say the source of your local network is 192.168.1.0 255.255.255.0 and the internal address of your FTP server is 192.168.2.2.
Here is the ACL which goes on the interface belonging to subnet 192.168.2.0/24
access-list dmz_in permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 20
access-list dmz_in permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 21
fastEthernet 0/1
ip address 192.168.2.1 255.255.255.0
ip access-group dmz_in in
Did you need ASA, if so change the wildcard masks for subnets, ie
192.168.1.0 255.255.255.0 instead of 192.168.1.0 0.0.0.255
03-07-2009 07:13 PM
Thx Adam
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: