Applying Cisco Access Control Lists (ACLs)
By Joshua Erdman
Recall in the previous article how ACLs are made and when to use a standard ACL vs. an extended one.
Reusing our example:
We will apply our ACLs to the serial (T1) interface to protect our network and to limit our user's Internet access to just web browsing.
Before we do that, we need to add one more entry to access-list 101 to allow HTTPS for web browsing. If you have a clue about TCP/IP you know that web browsing (HTTP) is done on port 80 and that web browsing securely (HTTPS) is done on port 443. So we also need to open port 443 if any user is to be able to let's say place an online order or check their bank account. Typically, the web page where you enter your personal information should be secure and thus requires the use of HTTPS.
The line we add is very similar to the line that is already in access list 101. You probably already have it figured out by now:
access-list 101 tcp permit 22.214.171.124 0.0.0.255 any eq 443
Now that our ACLs are complete, here is how we apply them to an interface.
In or Out
We first must decide the traffic that we are filtering is going in or out. Our users trying to access websites on the Internet is a good example of traffic going OUT from our business. Receiving e-mails from the Internet is a good example of traffic coming IN to our business. But depending on the interface you want to apply the ACLs to, will determine the direction of the traffic.
Take for example a router with 2 interfaces. It has a serial port, ser0/0, (AKA T-1 connection) and an ethernet port, eth0/0. The Internet traffic coming IN to our office is going IN the ser0/0 interface, but is also going OUT the eth0/0 interface to reach the office network. See how that works?
Now you have all kinds of options as to where you put your restrictions on your serial ports or your ethernet ports and this is just with a simple example!
For now we will activate the access lists on the serial port so the point of views (POV) are the same. Traffic coming IN the office is also going IN the serial port and traffic going OUT of the office is going OUT that same serial port.
Applying Access Lists
Finally the instructions you all have been waiting for! Make sure you are in enabled mode. Then use the command below:
See how you must be in configuration mode of the interface to apply an access-list? Remember that you can only apply ONE ACL in each direction of an interface.
Our next article is on methods for Editing ACLs. This is very handy when you are dealing with several ACLs at once.
Article last reviewed: 07/21/2003