Alternatively, the same access list can be applied on the inbound to the inside interface (source interface for
arriving packets) to achieve the same results.
Example 6-21. Outbound ACL on the Outside Interface
hostname(config)# access-list 102 extended deny tcp 10.1.1.0 255.255.255.0
209.165.202.128 255.255.255.224
hostname(config)# access-list 102 extended permit ip any any
hostname(config)# access-group 102 out interface outside
! or apply inbound on source interface
hostname(config)# access-group 102 in interface inside
Tip
Remember that configuring outbound ACL is optional and not required, as shown in Figure 6-19.
Simplifying Access Lists with Object Groups
Access lists can be long and cumbersome to create and maintain for medium-to-large enterprise networks. ACL
configuration can be repetitive and difficult to troubleshoot when a problem occurs. A simpler and more
effective approach is to group like objects together and reference them in the ACL. Object grouping simplifies
access list creation and maintenance.
Following are four types of object groups:
Protocol: A protocol-type object group is used to define the protocols (for example, ICMP, TCP, or UDP).
Use the object-group protocol grp_id command and define the protocols by using the protocol-object
{protocol} in the object-group submode.
Pages:
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312