https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249009#M793069 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P>Endende that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices. </P><P></P><P>Am I correct?</P><P></P><P>Thanks for help.</P></BODY></HTML> Tue, 29 Sep 2009 20:54:23 GMT luciano_rangel 2009-09-29T20:54:23Z https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249007#M793016 <P>Good afternoon </P><P></P><P>I have a firewall with three interfaces (outside, inside "172.16.0.0/16" and dmz "10.1.1.0/24") and I need access from inside network to internet on port 80 as access-list below. </P><P></P><P>access-list inside_access_in extended permit tcp host 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http</P><P></P><P>What would be the best practice for the machines in network inside dont access others networks on port 80, already destination is any?</P><P></P><P>Create a deny rule in the middle of the example below</P><P>access-list inside_access_in extended deny ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0</P><P>access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http</P><P></P><P>OR</P><P></P><P>Create outbound access-list on interface dmz?</P><P></P><P>Thanks for all</P><P></P> Mon, 11 Mar 2019 16:21:03 GMT https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249007#M793016 luciano_rangel 2019-03-11T16:21:03Z https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249008#M793040 <HTML><HEAD></HEAD><BODY><P>Luciano</P><P></P><P>Doesn't make a huge amount of difference. Personally i would go with your first example ie. </P><P></P><P>access-list inside_access_in extended deny ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0</P><P>access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http </P><P></P><P>Jon</P></BODY></HTML> Tue, 29 Sep 2009 20:38:33 GMT https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249008#M793040 Jon Marshall 2009-09-29T20:38:33Z https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249009#M793069 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P>Endende that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices. </P><P></P><P>Am I correct?</P><P></P><P>Thanks for help.</P></BODY></HTML> Tue, 29 Sep 2009 20:54:23 GMT https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249009#M793069 luciano_rangel 2009-09-29T20:54:23Z https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249010#M793091 <HTML><HEAD></HEAD><BODY><P>Luciano</P><P></P><P>"that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices."</P><P></P><P>Yes but probably not that noticeable. However there is an argument to say drop the traffic on the nearest interface to the source. That way the traffic does not have to go from the inside to the DMZ interface before being dropped. That's why i would go with your first option.</P><P></P><P>Jon</P></BODY></HTML> Tue, 29 Sep 2009 21:04:02 GMT https://community.cisco.com/t5/network-security/access-list-for-internet/m-p/1249010#M793091 Jon Marshall 2009-09-29T21:04:02Z