Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
212
Views
0
Helpful
1
Replies

Access-List Process - Urgent Help

mmtantawi
Level 1
Level 1

‎09-23-2006 07:14 AM

Dear All,

My question here in this forum , in the Process of :-

1- Which Interface should I apply this Access-list ?

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

Now, My question is here :-

Was I correct in choosing the Interface that I will apply this Access-list or not ?

Please read my Process of choosing the Interface, and tell me if I am correct or Not ?

I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-

1. Fast Ethernet 0 / 0 :-

Description : connected to My Network as MY LAN .

IP Address of this Interface : 192.168.1.10 / 255.255.255.0

2. Fast Ethernet 0 /1 :-

Description : connected to Second Network on second Building.

IP Address of this Interface : 172.16.20.10 / 255.255.0.0

3. Serial Interface ( S 0 ).

Description : connected to My Server Farm which is in another Network

IP Address of this interface : 10.1.8.20 / 255.255.255.0.

> No any serial interface or any serial connection at all on my 1841 Route.

> The Default route on My Router is

> IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20

Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.

As anyone knows, its an Extended Access List.

So I wrote it like that:-

Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp

Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3

Router(config)# access-list 102 permit ip any any

Process of choosing the interface :-

1- Which Interface should I apply this Access-list ?

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

To answer and to understand the answer, for the 2 questions, here is my Process :-

First Interface f 0 / 0 :-

< this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.

Second Interface f 0 / 1 :-

< this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.

Third Interface S0:-

Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.

So, final answer will be as following :-

1- Which Interface should I apply this Access-list ?

( Serial / 0 ) .

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

( Outbound ) .

Was I correct or not ? please some one is update me.

Labels:
0 Helpful
1 Reply 1

wdrootz
Level 4
Level 4

‎09-28-2006 10:17 AM

The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents