[cisco-bba] ACL application

Edward avanti edward.avanti at gmail.com
Wed Dec 15 04:45:24 EST 2010


bump

On Sat, Dec 11, 2010 at 7:56 PM, Edward avanti <edward.avanti at gmail.com>wrote:

> Halo all,
>
> I understood that  ACL on int's were transitting traffic and ACL on line
> was to the router?
>
> I ask because I could not access router until I add my home IP on acl 101
> (the inbound)
> Is this because the external interface fe0 has inbound rules applied?
> For example, fe1 is to our network of servers I apply ingress rules on fe0
> which the SP link, is this right why I denied?
>
> Should I invert this all?, have no rules on fe0 and apply the
> network-ingress, as an outbound rule on fe1 instead?
>
> Which is consider best practise?  Or is this correct but I somehow block
> myself to line
>
>
> ACL conf data relevant to post,  all IP is changed for protect guilty :->
>
>
> access-list 1 permit 1.1.1.0 0.0.1.255
> line vty 0 4
>  access-class 1 in
>
>
>
> access-list 101 permit ip host 1.2.3.4 any
> access-list 101 permit ip host 15.6.7.8 any
> access-list 101 deny   tcp any any eq 22
> access-list 101 deny   tcp any any eq telnet
> access-list 101 deny   tcp any any eq sunrpc
> access-list 101 deny   udp any any eq sunrpc
> access-list 101 deny   tcp any any range 135 139
> access-list 101 deny   udp any any range 135 netbios-ss
> access-list 101 deny   tcp any any eq 445
> access-list 101 deny   udp any any eq tftp
> access-list 101 deny   tcp any any eq 873
> access-list 101 deny   tcp any any eq 2049
> access-list 101 deny   tcp any any eq 3306
> access-list 101 permit ip any any
>
> interface FastEthernet0
>  ip access-group 101 in
>
>
>
> thanks you
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-bba/attachments/20101215/647a30a6/attachment.html>


More information about the cisco-bba mailing list