cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
476
Views
0
Helpful
7
Replies

Acl Question

gandhi.ganesh
Level 1
Level 1

I have a simple question

when we apply an acl to in interface does it mean it is allowed for outbound also in Firewall or router.

1 Accepted Solution

Accepted Solutions

adamclarkuk_2
Level 4
Level 4

Hi

You apply ACL in which every direction you choose, ie

IOS

For inbound

access-group in

For outbound

access-group out

PIX/ASA/FWSM

For inbound

access-group in interface

For outbound

access-group out interface

View solution in original post

7 Replies 7

adamclarkuk_2
Level 4
Level 4

Hi

You apply ACL in which every direction you choose, ie

IOS

For inbound

access-group in

For outbound

access-group out

PIX/ASA/FWSM

For inbound

access-group in interface

For outbound

access-group out interface

Thx Adam

Sorry,

one for question

lets see I have FTP server in inside lan, i want inside users should access & also outside user should access.

what should be the ACL?

I will need a bit more information for this.

1. Is this passive or active FTP

(A link of the difference's in case you are unsure

http://www.slacksite.com/other/ftp.html)

2. Does the FTP server have an public address or is NAT involved.

If the inside users are on the same subnet as the FTP server, then ACL's will not prevent access.

1. active

2. NAT

Inside users are in differnet subnet.

This is IOS

I am guessing interface/ACL names, so just substitute with your own.

I am using 1.1.1.2 as the public IP of your FTP Server (used in your NAT)

I am also assuming you only have an ACL applied inbound on your 'outside' interface.

access-list outside_in permit tcp any host 1.1.1.2 eq 21

access-list outside_in permit tcp any host 1.1.1.1 eq 20

Fastethernet 0/0

ip address 1.1.1.1 255.255.255.0

ip access-group outside_in in

Apply a similar ACL with the IP address of your local subnet as the source.

Lets say the source of your local network is 192.168.1.0 255.255.255.0 and the internal address of your FTP server is 192.168.2.2.

Here is the ACL which goes on the interface belonging to subnet 192.168.2.0/24

access-list dmz_in permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 20

access-list dmz_in permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 21

fastEthernet 0/1

ip address 192.168.2.1 255.255.255.0

ip access-group dmz_in in

Did you need ASA, if so change the wildcard masks for subnets, ie

192.168.1.0 255.255.255.0 instead of 192.168.1.0 0.0.0.255

Thx Adam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: