One access list of each type (Extended and
EtherType) can be applied to both directions of an interface.
Example 6-20 shows how to configure an inbound ACL for network access from the lower level (outside
interface) to a higher level (inside interface) to a web server with IP address 209.165.201.1. (This is a statically
translated address that is visible on the outside interface.) ACL is applied to the outside interface filtering
inbound traffic through the firewall.
Example 6-20. Inbound ACL on the Outside Interface
Code View:
hostname(config)# static (inside,outside) 209.165.201.1 10.1.1.1 netmask
255.255.255.255
hostname(config)# access-list 101 extended permit tcp any host 209.165.201.1 eq www
hostname(config)# access-group 101 in interface outside
Example 6-21 shows how to configure an outbound ACL for granular network access control from a higher level
(inside interface) to a lower level (outside interface), thereby preventing internal hosts 10.1.1.0/24 from
accessing the external 209.165.202.128/27 network. All other traffic is explicitly permitted. The access list is
applied on the outbound direction to the outside interface (destination interface for exiting packets).
Pages:
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311