cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
3
Replies

Access-lists source and destination

gastamant
Level 1
Level 1

On extended access-list statements, what is considered the source address and what is considered the destination address? For instance, is the source coming from the WAN interface or the Ethernet interface?

3 Replies 3

MickPhelps
Level 1
Level 1

source and destination are dependent upon direction.

For example: client=10.1.1.1 server=11.1.1.1

interface ethernet0

ip address 10.1.1.2 255.255.255.0

ip access-group 101 in

!

interface ethernet1

ip address 11.1.1.2 255.255.255.0

ip access-group 102 in

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 11.1.1.0 0.0.0.255

access-list 102 permit ip 11.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

In this case, a packet entering interface E0 (from client to server) will be checked against access-list 101. If the source address of this packet matches 10.1.1.?? and the destination address of this packet matches 11.1.1.?? then permit the packet and deny all others.

A packet entering interface E1 (from server to client) will be checked against access-list 102. If the source address of this packet matches 11.1.1.?? and the destination address of this packet matches 10.1.1.?? then permit this packet and deny all others.

Mick.

So, in this case the source address is the user/server that sits on the ethernet lan. What about if the access-list is applied to the serial (WAN) interface?

The source address is where the packet came from and the destination address is where the packet is going.

If you put an INBOUND access-list on a WAN interface, the destination address would be something on your side of the WAN... the source would be something on the other side of the WAN. If you put an OUTBOUND access-list on a WAN interface, the source and destination are reversed.

Mick.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco