Actually if you filtered the Serial interface you would be blocking Incomming traffic (if it's your "Outside" interface") and filtering on the Ethernet side would be blocking Outgoing traffic.
You definately want to block your own network traffic from comming back in from the Outside. Say if you are using 10.0.0.0 on your LAN you would want do Deny 10.0.0.0 traffic on your Serial interface. This will prevent someone on the internet from (spoofing) giving themselves an address in your address space and trying to authenticate to your internal services. (this should be firewalled to prevent this anyway but...) >From your description, if you block 10.0.0.0 on the Eth0 interface, your users would >not be able to authenticate to the Access servers. Hopefully this helps (probably not but...you get what you pay for right?) cheers Marc >>> "james" <[EMAIL PROTECTED]> 03/12/02 10:18AM >>> I am seeking to use ACL's to block the outbound traffic on private addresses that many of our remote POP's are producing. Remote POP's consist of a Cisco router (2500/2600's) and various access servers. I understand it is better to filter this at the source of the problem and not the exterior gateways. At the remote POP, should I apply these ACL's (Blocking 10.0.0.0, ect private networks) to the Ethernet interface, incomming or the serial interfaces, outgoing ? Serial interfaces would be the T-1 connections to the outside network and Ethernet interface is how the access servers are connected (via a switch) to the access servers. james _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
