Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Questions on access-lists / access-group

Status
Not open for further replies.
kfriend

kfriend

MIS
Feb 10, 2003
50
US
I'd like to thank everyone for all the help you've provided me with in the past--

I was playing around yesterday, I had three access-lists that looked something like this:

access-list ACL-1 permit tcp host ME host YOU eq 23

access-list ACL-2 permit tcp host ME host YOU range 5000 7000

access-list ACL-3 permit tcp host ME host YOU eq 80


Now I go to apply this to the interface using access-group...now here's my question.

If host "ME" is on interface1 (inside) and host "YOU" is interface0 (outside) do I only need to apply this to outside interface?
access-group ACL-1 in interface outside

or is it necessary to also apply to inside?

Additionally...does anyone know how many access lists you can bind to an adapter? When I was playing around I tried doing 3, and I did show access-group and it only showed 2 that I had inputted.

Lastly, does anyone know max number of access-lists? Is it better to go:
access-list ACL-1 permit tcp host ME host YOU eq 80
access-list ACL-2 permit udp host ME host YOU eq 534243

or just go:
access-list ACL-1 permit tcp host ME host YOU eq 80
access-list ACL-1 permit udp host ME host YOU eq 534243


thanks in advance for any information you can provide.
 
Sort by date Sort by votes
You would apply that to the inside interface. The first host is the source and the second is the destination. So ME is the source and YOU is the destination.

You can only apply on ACL per interface, so put all the configuration in the same ACL.

Also, if you apply that ACL to the inside interface, it will block everything that doesn't match it so be careful.

For example, with that current ACL you will only allow the host ME to access telnet, www, and 5000-7000 to host YOU. All other traffic would be blocked.

-Bad Dos
 
Upvote 0 Downvote
I see. Thanks for the input, it's all starting to make less sense...er I mean more sense. =)

 
Upvote 0 Downvote
I'd highly recommend reading "Configuring IP Access Lists" on the CCO website. It really helped me in understanding the "ins" and "outs".

remember - it's geared to routers so things like converting subnet masks can be ignored,
ie - changing 255.255.255.0 to 0.0.0.255

there is no access-group xyz out interface abc
in pix


If you don't have a CCO login I'd HIGHLY recommend getting one - there is an amazing amount of info there. "If you lived here, you'd be home by now!"

George Carlin
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
741
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
760
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
124
gbayi_omo
gbayi_omo
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
174
PauS0n
PauS0n
mackland1903
  • Locked
  • Question
Populate oblect group from DNS
Replies
1
Views
149
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top