Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

an access-list question (basic)

Status
Not open for further replies.
rsys

rsys

IS-IT--Management
Apr 6, 2001
26
0
0
US
Hi,

I have a 1700 series router with one WAN interface and one ETHERNET interface. The WAN interface connects to a T1 line and the ETHERNET interface to a switch (local LAN).

My objective is to implement an access-list that permits incoming access (from the internet) to my servers (database, application, etc) only from select IPs. i.e., access to these servers are possible only from another network of ours (a different office) and not from anywhere else.

My question is, which would be the correct location to apply this access-list?.Would it be at the WAN interface (inbound) or at the ETHERNET interface (outbound)?. Since both will work (or so I assume), are there any advantages or disadvantages of having it at either of these locations?.

your feedback is very much appreciated. Thank you and have a great year 2003!
 
Sort by date Sort by votes
do it at the WAN interface as inbound

and use an Extended IP access-list to do it..


BuckWeet
 
Upvote 0 Downvote
First be aware that any access list you apply will inherently slow down traffic on that interface. If this is your core router you probably already have (or should) have an access list applied to your T-1 interface. blocking snmp traffic. If these IP s that you are allowing inbound are going to be accessing the servers a lot you need to make sure that you build the access list so it is efficient. You definetly need to use and extended access-list as the last comment suggested. You can only have two access-list applied to any interface. If there is one already there you need to do a show config and find the access list applied to the interface and copy it to a text file. Edit the text file (Notepad does wonders or vi if youre a linux guru) make sure it is an extended ip access-list and add the new ip addresses to the top of the list. Make sure you use the log command so you can log traffic coming through that access list. There is an implicit deny at the end of the list so make sure you dont try adding the ip address without removing the old access-list. Once you have the text file created the best thing to do is get in Config# mode go to the interface
(config)#int s0/?
(config-int)#no ip access-group ##
(config-int)#exit
(config)#no access-list ##
(config)#COPY AND PASTE THE TEXT FROM THE NOTEPAD NOW
(config)#int s0/?
(config-int)#ip access-group ##
(config-int)#exit
(config)#exit
If you used the logging option you can type term mon and you should start seeing syslog info on the console. Hope this helps
 
Upvote 0 Downvote
Just a little tip that may help in future cert tests as well.

Extended access-lists are put closest to the source.
Standard access-lists are put closest to the destination.

So, as was mentioned before, put an extended access-list on the WAN interface inbound.
 
Upvote 0 Downvote
Thanks a lot for all your tips and suggestions!

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
75
jarod_paris
jarod_paris
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
71
Zero6
Zero6
Willi DB
  • Locked
  • Question
Polycom410 Forward an incoming call
Replies
0
Views
43
Willi DB
Willi DB
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
75
Lccarter
Lccarter
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
53
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top