Setting up ACL for network. restrict access

migz1234migz1234 Posts: 4Registered Users ■□□□□□□□□□
Hi. So I'm trying to set up a network. I have a router (R2) connected to an outside network server 209.165.200.224 and to another router R3. On this router I want to set up an access list which will allow anything in my inside network 192.168.x.x to ping to outside networking 209.x.x.x and allow the internet/outside web server to ping in to 1 address only on my router which is a loopback address 10.10.10.10. I'm not sure how to go by this. I'm thinking put the cal on the interface connected to outside networks in the OUT direction.

Can I do this with just 1 access list on one interface.



Thoughts. thanks

Comments

  • OctalDumpOctalDump Posts: 1,722Member
    Read this.

    So, think about the components of access list:
    name/number
    action
    (protocol)
    source
    destination
    (message type)

    So, yeah, you can apply a rule for the source of 192.168.0.0/16 and a destination of 209.0.0.0/8 matching ICMP. You can have another rule to match the incoming 209.0.0.0/8 (or is it any internet host or a specific internet host?) with destination of 10.10.10.10.

    Now the other question is "Can I do this with just one ACL on one interface?" and the answer to that is pretty much given in the "list" part of Access Control List. The only question is if both traffic has to pass through the same interface at some point. Is that the best way? Well, it depends.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • d4nz1gd4nz1g Posts: 464Member
    Well, since you mentioned internet access, I would recommend using ZBFW.

    Regular ACLs are stateless, and return traffic from internet are likely to be blocked by an input acl on the router's external interface.

    You would need ar dynamic ACL or a Stateful Inspection (ZBFW does that for you)
Sign In or Register to comment.