FastEthernet 1/0 is the interface of Bono with the router Inter. The interface of Bono with Edge is the serial 3/0 which is covered by another label and is not visible. So you mean the interface of Bono with Edge with the goal of filtering packets both from the devices connected to Edge and from Edge himself?

Hello,

I think you need two access lists:

Having the network of the photo below, I want to permit HTTP and deny all access to the server from every device of the network (except the Inter router). --> FastEthernet1/0 inbound Bono
I also want to deny all access to Hermes' subnets from the other devices unless ping or traceroute is used. --> Serial 3/0 inbound Bono (serial interface going to Hermes)

Hello, I edited me initial post as I think the example i put in was slightly confusing about the overall goal of the ACLs. You could give it another look if you want.

Now, about the HTTP ACL: isn't the source(s) all the devices except Inter and the server? I thought that source is the device(s) which is more possible to initiate communication between itself and another device. So having that in mind, I thought that all the other devices are sources and the server S1 is considered the destination. So putting the ACL in fastEthernet 1/0 inbound to router Inter would be the closest possible place to all the source(s),no? I am not defying your opinion as I am new to Networks, I am just trying to understand better.

As for the second ACL, I think the example I gave was confusing. Except for Edge's PCs and Edge himself, I also want to deny Bono and D1 access to Hermes' networks unless ping and traceroute is used. With that in mind, where should I place the ACL? Serial 2/0 inbound Hermes?

@Joseph W. Doherty 
Thanks for the valuable insight. 

 "you might have an ingress ACL on all the routers facing your hosts, but that appears to require you to maintain six instances".

That was my initial purpose but then I thought that I also need to deny all the routers' access to any S1 services except HTTP,  because I don't want any device of the network having access to the service of the server and that is when things became complicated. Can a router have access to the HTTP service of the server?

 

"even a bit better, use an egress ACL on "Bono"'s interface to "Inter". "

I read somewhere that a router does not filter packets that the router itself creates with an outbound ACL, so I can not do that if want all the devices being able to access only the servers' HTTP service, as Bono would have access to other server's services as well. Is that correct?

 

---

Ah, yes, overlooked you wanted to block access to all devices, but router "Inter", correct?

BTW, routers are often not as restricted as "ordinary" hosts, as they are considered part of the infrastructure, and I don't recall most routers supporting a WEB browser (although you could do HTTP via telnet).

That said, if you still want to secure your server from router "Bono", you could block it's access on router "Inter". You could block all non-router "Inter" traffic on it, or just block "Bono"'s traffic, while still having "Bono" block other hosts (a little closer to their sources). (Doing the latter is possible, and more "efficient", but makes for a maintenance headache.)

(Yes, I recall [?] you're correct about ACLs not applying to locally sourced traffic.)