cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1402
Views
0
Helpful
4
Replies
Beginner

where to apply access-list

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Re: where to apply access-list

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Hi PeiWai,

For your requirement  with the flow i would say apply the acl in indrection on port FA(0/0)

webservr ---FA0/1(R1)--FA0/0 --- Host

Apply in FA(0/0) in in direction .

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Highlighted
Hall of Fame Guru

Re: where to apply access-list

leepeiwai wrote:

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Pei

Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.

Jon

View solution in original post

4 REPLIES 4
Highlighted

Re: where to apply access-list

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Hi PeiWai,

For your requirement  with the flow i would say apply the acl in indrection on port FA(0/0)

webservr ---FA0/1(R1)--FA0/0 --- Host

Apply in FA(0/0) in in direction .

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Highlighted
Hall of Fame Guru

Re: where to apply access-list

leepeiwai wrote:

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Pei

Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.

Jon

View solution in original post

Highlighted
Beginner

Re: where to apply access-list

Thanks Jon and Ganesh

ps. my name is Peiwai not Pei

Highlighted
Hall of Fame Guru

Re: where to apply access-list

leepeiwai wrote:

Thanks Jon and Ganesh

ps. my name is Peiwai not Pei

Peiwai, apologies for getting name wrong.

Jon

CreatePlease to create content
Content for Community-Ad