05-13-2002 06:15 AM - edited 03-01-2019 09:42 PM
I kind of get confused with applying access list, either as an in or out on interfaces. Is there someone that can explain it really well
Trying to add access-list 101 permit tcp any x.x.x.x eq 80 to fa0/0 on our LAN? The aim is to allow any one from the internet to get through to the server ( x.x.x.x) only via port 80.
So do i apply as
ip access-group 101 in or ip access-group in
Thanks
05-13-2002 06:26 AM
Hello,
The in and out are from the routers perpective ,
so applying in on your lan interface is traffic from the lan into the router,
likewise outbound would be from the router to the lan .
Placement of an access list is important, and should be placed close to the source
of traffic. So it would be best to have an inbound access list on the interface connecting to the internet.
Hope this helps
05-14-2002 12:34 AM
Thanks
So in this case I should have
int s0/0
ip address x.x.x.x
int fa0/0
ip address x.x.x.x
ip access-group 102 out
So every packet will be read by the router before going OUT via the fa0/0 int onto the LAN?
Is this correct?
We do not want to place it on the int s0/0 interface
Thanks
05-13-2002 06:29 AM
ip access-group xxx IN.
Think of the flow of traffic, in as in coming from external and passing through the interface to the internal side and out is from inside to outside via that interface.
05-14-2002 12:40 AM
Yes that's correct...??? out as in traffic passing out the interface and in as traffic is coming in the interface (input queue side).
05-14-2002 04:52 AM
Thanks. It worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide