Re: Access-lists source and destination

gastamant · ‎12-04-2001

On extended access-list statements, what is considered the source address and what is considered the destination address? For instance, is the source coming from the WAN interface or the Ethernet interface?

MickPhelps · ‎12-04-2001

source and destination are dependent upon direction.

For example: client=10.1.1.1 server=11.1.1.1

interface ethernet0

ip address 10.1.1.2 255.255.255.0

ip access-group 101 in

!

interface ethernet1

ip address 11.1.1.2 255.255.255.0

ip access-group 102 in

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 11.1.1.0 0.0.0.255

access-list 102 permit ip 11.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

In this case, a packet entering interface E0 (from client to server) will be checked against access-list 101. If the source address of this packet matches 10.1.1.?? and the destination address of this packet matches 11.1.1.?? then permit the packet and deny all others.

A packet entering interface E1 (from server to client) will be checked against access-list 102. If the source address of this packet matches 11.1.1.?? and the destination address of this packet matches 10.1.1.?? then permit this packet and deny all others.

Mick.

gastamant · ‎12-04-2001

So, in this case the source address is the user/server that sits on the ethernet lan. What about if the access-list is applied to the serial (WAN) interface?

MickPhelps · ‎12-04-2001

The source address is where the packet came from and the destination address is where the packet is going.

If you put an INBOUND access-list on a WAN interface, the destination address would be something on your side of the WAN... the source would be something on the other side of the WAN. If you put an OUTBOUND access-list on a WAN interface, the source and destination are reversed.

Mick.