Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
9
Helpful
1
Replies

ACL and Inspect on Dialer or ethernet interface??

gael.clavadetscher
Level 1
Level 1

‎03-04-2005 01:27 AM - edited ‎02-20-2020 09:26 PM

Hello,

I got an ADSL router over isdn with ethernet (inside) for one side and Dialer/atm (Internet) for the other.

I got an "access-group 102 in" on the ethernet interface with inspect to control the outgoing traffic and I got an "access-group 103 in" that I put on the Dialer interface with inspect, this to control the ingoing traffic.

My question will be, is that correct?, or should I put the access-group 103 on the ethernet interface (out?)?

My configuration is working, but will it be more secure, stable, etc, to have the traffic coming from Internet check on the ethernet interface (I heard that, but never knew why?)??

Thanks for your help.

Gael

Labels:
0 Helpful
1 Reply 1

fragomez
Level 1
Level 1

‎03-06-2005 02:04 PM

Hi,

Both ways will work, now... my suggestion is to keep the incoming ACL on the dialer interface, otherwise you will be allowing traffic through the router, which could be a security hole.

Just think this way, if you want to block all incoming traffic from the Internet and you apply the ACL "out" on the Ethernet interface, I will still have access via telnet, snmp, ssh, http, etc to the dialer interface and I would be able to hack your router.

The rule is, apply the ACL on the interface which is closer to the source.

Let me know if this helps...

Frank

Customers Also Viewed These Support Documents