access-list question 1

[boymarty24]

Hi!

Can someone give me a good explanation why you should use outbound access-lists instead of inbound.

Example.

I want to restrict inside users to only use http and https. As i understand you can use inbound on inside interface or/and outbound on outside interface. I have always used inbound on inside interface for this kind of configurations but found on ciscos homepage an example with outbound statement. I did not really understand why outbound was a better choice though.

Cheers

Marty

 

[North323]

think of the user going 'outbound' on the inside interface, not to mention the inside interface has a higher level of security

 

[Supergrrover]

The only use I have found for it would be blocking traffic from multiple higher security interfaces to a lower one.
I always restrict SMTP to servers that I know. So rather than placing that restriction on the inbound INSIDE, DMZ, and WIRELESS interfaces you can put it on the outbound OUTSIDE interface only once.

Now, I don't actually do this as I believe you should block unwanted traffic closest to the source. It's the low powered router guy in me who doesn't want to have unnecessary processing going on but with todays fun toys I don't think it is much of a problem unless you have a giant environment.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[boymarty24]

Brent,

That makes sense! Thanks for you answers