Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-lists source and destination

On extended access-list statements, what is considered the source address and what is considered the destination address? For instance, is the source coming from the WAN interface or the Ethernet interface?

3 REPLIES
New Member

Re: Access-lists source and destination

source and destination are dependent upon direction.

For example: client=10.1.1.1 server=11.1.1.1

interface ethernet0

ip address 10.1.1.2 255.255.255.0

ip access-group 101 in

!

interface ethernet1

ip address 11.1.1.2 255.255.255.0

ip access-group 102 in

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 11.1.1.0 0.0.0.255

access-list 102 permit ip 11.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

In this case, a packet entering interface E0 (from client to server) will be checked against access-list 101. If the source address of this packet matches 10.1.1.?? and the destination address of this packet matches 11.1.1.?? then permit the packet and deny all others.

A packet entering interface E1 (from server to client) will be checked against access-list 102. If the source address of this packet matches 11.1.1.?? and the destination address of this packet matches 10.1.1.?? then permit this packet and deny all others.

Mick.

New Member

Re: Access-lists source and destination

So, in this case the source address is the user/server that sits on the ethernet lan. What about if the access-list is applied to the serial (WAN) interface?

New Member

Re: Access-lists source and destination

The source address is where the packet came from and the destination address is where the packet is going.

If you put an INBOUND access-list on a WAN interface, the destination address would be something on your side of the WAN... the source would be something on the other side of the WAN. If you put an OUTBOUND access-list on a WAN interface, the source and destination are reversed.

Mick.

314
Views
0
Helpful
3
Replies
CreatePlease login to create content