[cisco-bba] ACL application
Edward avanti
edward.avanti at gmail.com
Wed Dec 15 04:45:24 EST 2010
bump
On Sat, Dec 11, 2010 at 7:56 PM, Edward avanti <edward.avanti at gmail.com>wrote:
> Halo all,
>
> I understood that ACL on int's were transitting traffic and ACL on line
> was to the router?
>
> I ask because I could not access router until I add my home IP on acl 101
> (the inbound)
> Is this because the external interface fe0 has inbound rules applied?
> For example, fe1 is to our network of servers I apply ingress rules on fe0
> which the SP link, is this right why I denied?
>
> Should I invert this all?, have no rules on fe0 and apply the
> network-ingress, as an outbound rule on fe1 instead?
>
> Which is consider best practise? Or is this correct but I somehow block
> myself to line
>
>
> ACL conf data relevant to post, all IP is changed for protect guilty :->
>
>
> access-list 1 permit 1.1.1.0 0.0.1.255
> line vty 0 4
> access-class 1 in
>
>
>
> access-list 101 permit ip host 1.2.3.4 any
> access-list 101 permit ip host 15.6.7.8 any
> access-list 101 deny tcp any any eq 22
> access-list 101 deny tcp any any eq telnet
> access-list 101 deny tcp any any eq sunrpc
> access-list 101 deny udp any any eq sunrpc
> access-list 101 deny tcp any any range 135 139
> access-list 101 deny udp any any range 135 netbios-ss
> access-list 101 deny tcp any any eq 445
> access-list 101 deny udp any any eq tftp
> access-list 101 deny tcp any any eq 873
> access-list 101 deny tcp any any eq 2049
> access-list 101 deny tcp any any eq 3306
> access-list 101 permit ip any any
>
> interface FastEthernet0
> ip access-group 101 in
>
>
>
> thanks you
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-bba/attachments/20101215/647a30a6/attachment.html>
More information about the cisco-bba
mailing list