.
Manucomp Systems
Hours of Operation

Monday to Friday:
9am - 6pm EST

Saturday & Sunday:
Closed

If you would like additional information please contact us toll-free at :

1-866-440-1115
info@manucomp.com

Can't find the product you are looking for?
Request a quote.
Applying Access Control Lists
Back to Cisco Tips
Assumptions:

Internal Network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101 access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102 access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

We will apply our ACLs to the serial (T1) interface to protect our network and to limit our user's Internet access to just web browsing.

Before we do that, we need to add one more entry to access-list 101 to allow HTTPS for web browsing. If you have a clue about TCP/IP you know that web browsing (HTTP) is done on port 80 and that web browsing securely (HTTPS) is done on port 443. So we also need to open port 443 if any user is to be able to let's say place an online order or check their bank account. Typically, the web page where you enter your personal information should be secure and thus requires the use of HTTPS.

The line we add is very similar to the line that is already in access list 101. You probably already have it figured out by now:

access-list 101 tcp permit 63.36.9.0 0.0.0.255 any eq 443

Now that our ACLs are complete, here is how we apply them to an interface.

In or Out
We first must decide the traffic that we are filtering is going in or out. Our users trying to access websites on the Internet is a good example of traffic going OUT from our business. Receiving e-mails from the Internet is a good example of traffic coming IN to our business. But depending on the interface you want to apply the ACLs to, will determine the direction of the traffic.

Take for example a router with 2 interfaces. It has a serial port, ser0/0, (AKA T-1 connection) and an ethernet port, eth0/0. The Internet traffic coming IN to our office is going IN the ser0/0 interface, but is also going OUT the eth0/0 interface to reach the office network. See how that works?

Now you have all kinds of options as to where you put your restrictions on your serial ports or your ethernet ports and this is just with a simple example!

For now we will activate the access lists on the serial port so the point of views (POV) are the same. Traffic coming IN the office is also going IN the serial port and traffic going OUT of the office is going OUT that same serial port.

Applying Access Lists
Finally the instructions you all have been waiting for! Make sure you are in enabled mode. Then use the command below:

conf t int ser0/0 access-group 101 out access-group 102 in

See how you must be in configuration mode of the interface to apply an access-list? Remember that you can only apply ONE ACL in each direction of an interface.