GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: access-group difference [7:62769] posted 02/16/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Thanks Jose, I got the concept. 


Ismail Al-Shelh


-----Original Message-----
From: Jose Canillas [mailto:jcanillas@xxxxxxxxxxxxxxxxx] 
Sent: Sunday, February 16, 2003 1:24 AM
To: cisco@xxxxxxxxxxxxxx
Subject: Re: access-group difference [7:62769]

Let me try to help you,

"Access-group x in interface inside" means, apply x access-list restriction
to all traffice entering the inside interface (AKA outbound traffic)
"Access-group y in interface outside" means, apply y access-list restriction
to all traffic entering the outside interface (AKA inbound traffic)

Why can you apply in and out ACLs to any interface? this makes sense in
three or more interface firewalls,the trick is that you could have traffic
coming from the inside interface and going to the outside network OR going
to another interface's network, that is basically the differece. Same thing
happens with the traffic coming from the outside network, its destination
could be the inside network, which is for sure in the case of two interfaces
firewall, BUT, its destination could also be, lets say, the DMZ network, in
the case of a three interface firewall.

That's why you need out and in ACLs on every interface.

About what you say:
> If both commands acess-group in interface inside and access-group in
> interface outside meant for the inbound traffic then why Cisco experts
> designed the two commands for the same result !

Each command applies to different traffic, the first is for outbound and the
second for inbound.

Regards,

Jose
----------------------------------------------------------------------------
-------------------
""Ismail Al-Shelh""  escribis en el mensaje
news:200302150545.FAA01592@xxxxxxxxxxxxxxxxx
> Well am again confused, because the thing which was in my mind that
> access-group  acl_in in interface inside means that the access-list binds
to
> the inside interface for the outbound traffic not the inbound traffic!
>
> I agree that the command access-group acl_out in interface outside mean
that
> the access-list bind to the outside interface for the inbound traffic, and
> this is so clear because every thing from outside of the pix to the inside
> is denied.
>
> The confusion right now in the real meaning of the
> acess-group in interface inside
>
> Am I making any sense?
>
> If both commands acess-group in interface inside and access-group in
> interface outside meant for the inbound traffic then why Cisco experts
> designed the two commands for the same result !
>
>
>
>
>
> Ismail Al-Shelh
> Abdulla Fouad Company
> Network Engineer
> CD-Dammam
>
>
> -----Original Message-----
> From: BJ Rice [mailto:nobody@xxxxxxxxxxxxxx]
> Sent: Monday, February 10, 2003 10:37 PM
> To: cisco@xxxxxxxxxxxxxx
> Subject: RE: access-group difference [7:62769]
>
> oops, one mistake
>
> I meant to say this
>
> access-group acl_in in interface inside - binds the acl_in access list
> (created above) to the inside interface .
>
> instead of this
> access-group acl_in in interface inside - binds the acl_in access list
> (created above) to the outside interface (for inbound traffic).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63115&t=62769
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx