Solved: Re: where to apply access-list

leepeiwai · ‎05-14-2010

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Ganesh Hariharan · ‎05-14-2010

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Hi PeiWai,

For your requirement with the flow i would say apply the acl in indrection on port FA(0/0)

webservr ---FA0/1(R1)--FA0/0 --- Host

Apply in FA(0/0) in in direction .

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Jon Marshall · ‎05-14-2010

leepeiwai wrote:

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Pei

Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.

Jon

View solution in original post

Ganesh Hariharan · ‎05-14-2010

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Hi PeiWai,

For your requirement with the flow i would say apply the acl in indrection on port FA(0/0)

webservr ---FA0/1(R1)--FA0/0 --- Host

Apply in FA(0/0) in in direction .

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Jon Marshall · ‎05-14-2010

leepeiwai wrote:

I have created the access 128 to allow a host (10.20.1.2) to access a web server (10.10.1.24).

No other hosts from the LAN (10.20.0.0) should be able to access the same web server.
However, all other traffic should be allowed since there are serveral resources (FTP, email etc) on this web server.

access-list 128 permit tcp host 10.20.1.2 host 10.10.1.24 eq www
access-list 128 deny tcp any host 10.10.1.24 eq www
access-list 128 permit ip any any

The web server is attached to FA0/1 side of the router.
Hosts in 10.20.0.0 is attached to FA0/0 side of the router.

Should I apply access list 128 on
Fa0/1 outbound OR Fa0/0 inbound ?

Thanks

PeiWai

Pei

Rule of thumb is always apply acls closest to source if possible so as Ganesh says apply it inbound on the host interface ie. fa0/0.

Jon

leepeiwai · ‎05-14-2010

Thanks Jon and Ganesh

ps. my name is Peiwai not Pei

Jon Marshall · ‎05-14-2010

leepeiwai wrote:

Thanks Jon and Ganesh

ps. my name is Peiwai not Pei

Peiwai, apologies for getting name wrong.

Jon