Cisco access list is pretty simple to understand. For this you just need to understand how cisco devices measure whether the packet is coming/leaving the device.
Picture 1:
In Picture One we are seeing that there is a cisco device which has got two interfaces, one external and another one internal.
Both external and internal have in and outside. Now here we need to understand the concept.
Concept is that any packet entering into device via any interface will be counted on "IN" side and any packet leaving the router will be counted on "OUT" side.
So if you want to block any packet which is being send by internal ip towards any other interface can be blocked by restricting it on "IN" side access-list of internal interface or can be blocked by restricting it on "OUT" side access-list of other interface where it is going.
So here based on diagram if Router External Interface is connected to internet and internal interface is connected to our local switch and we want that users which are connected to the internal switch should not be able to access any ftp server on internet than we need to put the following access-list on PIX.
Access-list 100 line 1 extended deny tcp any any eq 21
Access-list 100 line 2 extended permit ip any any
Access-group 100 in interface <inside>
Or
Access-group 100 out interface <outside>
Now I hope you have understood the basic concept, which is indeed very important to keep in your mind while you are going to implement access list on your cisco device.
No comments:
Post a Comment