Mailing List Archive: ACL application

ACL application

Dec 11, 2010, 1:56 AM

Post #1 of 3 (3864 views)

Halo all,

I understood that ACL on int's were transitting traffic and ACL on line was
to the router?

I ask because I could not access router until I add my home IP on acl 101
(the inbound)
Is this because the external interface fe0 has inbound rules applied?
For example, fe1 is to our network of servers I apply ingress rules on fe0
which the SP link, is this right why I denied?

Should I invert this all?, have no rules on fe0 and apply the
network-ingress, as an outbound rule on fe1 instead?

Which is consider best practise? Or is this correct but I somehow block
myself to line

ACL conf data relevant to post, all IP is changed for protect guilty :->

access-list 1 permit 1.1.1.0 0.0.1.255
line vty 0 4
access-class 1 in

access-list 101 permit ip host 1.2.3.4 any
access-list 101 permit ip host 15.6.7.8 any
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq telnet
access-list 101 deny tcp any any eq sunrpc
access-list 101 deny udp any any eq sunrpc
access-list 101 deny tcp any any range 135 139
access-list 101 deny udp any any range 135 netbios-ss
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq tftp
access-list 101 deny tcp any any eq 873
access-list 101 deny tcp any any eq 2049
access-list 101 deny tcp any any eq 3306
access-list 101 permit ip any any

interface FastEthernet0
ip access-group 101 in

thanks you

Re: ACL application [ In reply to ]

edward.avanti at gmail

Dec 15, 2010, 1:45 AM

Post #2 of 3 (3696 views)

Permalink

bump

On Sat, Dec 11, 2010 at 7:56 PM, Edward avanti <edward.avanti@gmail.com>wrote:

> Halo all,
>
> I understood that ACL on int's were transitting traffic and ACL on line
> was to the router?
>
> I ask because I could not access router until I add my home IP on acl 101
> (the inbound)
> Is this because the external interface fe0 has inbound rules applied?
> For example, fe1 is to our network of servers I apply ingress rules on fe0
> which the SP link, is this right why I denied?
>
> Should I invert this all?, have no rules on fe0 and apply the
> network-ingress, as an outbound rule on fe1 instead?
>
> Which is consider best practise? Or is this correct but I somehow block
> myself to line
>
>
> ACL conf data relevant to post, all IP is changed for protect guilty :->
>
>
> access-list 1 permit 1.1.1.0 0.0.1.255
> line vty 0 4
> access-class 1 in
>
>
>
> access-list 101 permit ip host 1.2.3.4 any
> access-list 101 permit ip host 15.6.7.8 any
> access-list 101 deny tcp any any eq 22
> access-list 101 deny tcp any any eq telnet
> access-list 101 deny tcp any any eq sunrpc
> access-list 101 deny udp any any eq sunrpc
> access-list 101 deny tcp any any range 135 139
> access-list 101 deny udp any any range 135 netbios-ss
> access-list 101 deny tcp any any eq 445
> access-list 101 deny udp any any eq tftp
> access-list 101 deny tcp any any eq 873
> access-list 101 deny tcp any any eq 2049
> access-list 101 deny tcp any any eq 3306
> access-list 101 permit ip any any
>
> interface FastEthernet0
> ip access-group 101 in
>
>
>
> thanks you
>
>

Re: ACL application [ In reply to ]

euang+cisco-bba at lists

Dec 16, 2010, 4:18 AM

Post #3 of 3 (3678 views)

Permalink

On Sat, Dec 11, 2010 at 07:56:54PM +1000, Edward avanti wrote:
> Halo all,
>
> I understood that ACL on int's were transitting traffic and ACL on line was
> to the router?

Packet has to come through the interface (and therefore any ACL on the interface),
before it gets to any process running on the router (BGP/VTYs/anything else).

> I ask because I could not access router until I add my home IP on acl 101
> (the inbound)
> Is this because the external interface fe0 has inbound rules applied?
> For example, fe1 is to our network of servers I apply ingress rules on fe0
> which the SP link, is this right why I denied?

Yes

>
> Should I invert this all?, have no rules on fe0 and apply the
> network-ingress, as an outbound rule on fe1 instead?

Probably not (you would normally drop "as soon as possible", i.e.
igress).

P.S. Wrong group, nothing to do with bba, although 30 seconds with
google would have answered faster than posting here.

--
Euan Galloway
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba