Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Access List/Group

I kind of get confused with applying access list, either as an in or out on interfaces. Is there someone that can explain it really well

Trying to add access-list 101 permit tcp any x.x.x.x eq 80 to fa0/0 on our LAN? The aim is to allow any one from the internet to get through to the server ( x.x.x.x) only via port 80.

So do i apply as

ip access-group 101 in or ip access-group in

Thanks

5 REPLIES
Community Member

Re: Access List/Group

Hello,

The in and out are from the routers perpective ,

so applying in on your lan interface is traffic from the lan into the router,

likewise outbound would be from the router to the lan .

Placement of an access list is important, and should be placed close to the source

of traffic. So it would be best to have an inbound access list on the interface connecting to the internet.

Hope this helps

Community Member

Re: Access List/Group

Thanks

So in this case I should have

int s0/0

ip address x.x.x.x

int fa0/0

ip address x.x.x.x

ip access-group 102 out

So every packet will be read by the router before going OUT via the fa0/0 int onto the LAN?

Is this correct?

We do not want to place it on the int s0/0 interface

Thanks

Re: Access List/Group

ip access-group xxx IN.

Think of the flow of traffic, in as in coming from external and passing through the interface to the internal side and out is from inside to outside via that interface.

Re: Access List/Group

Yes that's correct...??? out as in traffic passing out the interface and in as traffic is coming in the interface (input queue side).

Community Member

Re: Access List/Group

Thanks. It worked.

277
Views
0
Helpful
5
Replies
CreatePlease to create content