Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list Command

If the system architecture is like this: Pix (501) and PCs attached to it. The PCs on the same subnet of 192.168.1.0 255.255.255.0. And a remote PC is to be assign a subnet of 10.10.10.0 255.255.255.0, once it is connected to the Pix via VPN.

For a simplized access-list command, it will be like this:

access-list ID permit ip {source_addr source_mask } {destination_addr} {destination_mask }

1)What should be the source address?

2)What should be the destination address?

Or I mean how should we define the source and destination? {Which direction should I look at :) }

Thanks to help.

Scott

4 REPLIES
Cisco Employee

Re: access-list Command

Hi,

Where do you expect to process the traffic?

If you want to restrict traffic from inside users to public networks the src shoud be any computer on the trusted network.

Example:

access-list outbound permit tcp host 192.168.1.2 any eq 80

access-list outbound permit udp host 192.168.1.2 any eq 53

access-list outbound deny ip any any

access-group outbound in interface inside

Hope it helps

Franco

New Member

Re: access-list Command

Thanks for the response. This is a remote PC(Cisco VPN Client) to the PIX 501 case. The Pix inside and the computers connected to the Pix are in the subnet of 192.168.1.0 255.255.255.0; While the remote PC will be assigned 10.10.10.0 255.255.255.0, once it successfully opened the VPN channel.

But I am confused which should be the source and which should be the destination?

Thanks again.

Scott

Re: access-list Command

Basicly SRC = any IP address or network on the interface that the access-list is applied on and Destination is the IP address that the traffic will be forwarded to (other interfaces).

Example if you have an access-list on the inside interface and you want just to permit outgoing http and DNS traffic then it would look like that:

IP inside interface = 192.168.1.1

IP Network Inside = 192.168.1.0/24

access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 80

access-list inside permit udp 192.168.1.0 255.255.255.0 any eq 53

access-group inside in interface inside

Now another example you want to allow any user on the internet to access your Email server with smtp. So the SRC is any because it could be any IP on the outside interface and the DST is internal Mail server Public IP because we will do Network address transaltion NAT after the access-list verification.

example:

access-list outside permit tcp any host MailServer-Public eq 25

access-group outside in interface outside

sincerely.

Patrick

New Member

Re: access-list Command

Thanks for the response. But it does not answer my question. My case is: a remote PC(Cisco VPN Client) to access the inside of PIX 501.

The Pix inside and the computers connected to the Pix are in the subnet of 192.168.1.0 255.255.255.0; While the remote PC will be assigned 10.10.10.0 255.255.255.0, once it successfully opened the VPN channel.

This is the statement I used:

access-list 101 permit ip 192.168.1.0 255.255.255.0

10.10.10.0 255.255.255.0

vpngroup MyVPN split-tunnel 101

And it works. I can connect and access to the inside of the Pix, for instance, I can launch the PDM from the inside of the pix.

But I am confused which should be the source and which should be the destination? My understanding is the remote PC (the VPN client) should be the

source while the Pix inside interface should be the destination. Is this a correct understanding? If so, then how can I put Pix inside (192.168.1.0 255.255.255.0) at the source position and the remote PC (10.10.10.0 255.255.255.0) at the destination position, and it works?

Thanks again.

Scott

271
Views
2
Helpful
4
Replies
CreatePlease login to create content