In your case, fe0 is the outside world, the "untrusted" world, the acl 101 you applied in fe0 filters any packet that is coming from the outside world into your router, no matter where exactly it goes later. The acl 1 applied in the line vty filters traffic that is trying to connect to the router (most probably telnet/ssh) no matter where they're coming from (fe0, fe1, etc) If you want to telnet the router and you're coming from an external source (outside world) you'll have to be allowed both in acl 101 and acl 1. To protect your servers, you can put it either in on fe0 or out in fe1, it gives you the same result, but in this case, you won't need to allow anything trying to connect to the router other than in acl 1 only.
Hope this makes sense to you Ziv -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Edward avanti Sent: Wednesday, December 15, 2010 11:57 AM To: [email protected] Subject: [c-nsp] ACL querry Halo all, I understood that ACL on int's were transitting traffic and ACL on line was to the router? I ask because I could not access router until I add my home IP on acl 101 (the inbound) Is this because the external interface fe0 has inbound rules applied? For example, fe1 is to our network of servers I apply ingress rules on fe0 which the SP link, is this right why I denied? Should I invert this all?, have no rules on fe0 and apply the network-ingress, as an outbound rule on fe1 instead? Which is consider best practise? Or is this correct but I somehow block myself to line ACL conf data relevant to post, all IP is changed for protect guilty :-> access-list 1 permit 1.1.1.0 0.0.1.255 line vty 0 4 access-class 1 in access-list 101 permit ip host 1.2.3.4 any access-list 101 permit ip host 15.6.7.8 any access-list 101 deny tcp any any eq 22 access-list 101 deny tcp any any eq telnet access-list 101 deny tcp any any eq sunrpc access-list 101 deny udp any any eq sunrpc access-list 101 deny tcp any any range 135 139 access-list 101 deny udp any any range 135 netbios-ss access-list 101 deny tcp any any eq 445 access-list 101 deny udp any any eq tftp access-list 101 deny tcp any any eq 873 access-list 101 deny tcp any any eq 2049 access-list 101 deny tcp any any eq 3306 access-list 101 permit ip any any interface FastEthernet0 ip access-group 101 in thanks you _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer. Thank you! ******** This mail was sent via Mail-SeCure System.******** ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
