Cisco 7200 Router IOS 12.X Extended Access-lists/Access-groups. Why use access group out.
Posted on 2004-08-04
I know out is the default for an access-group. Why. The one argument I saw for using In sounds good why send traffic through the routing engine just to drop it any way. If traffic is going from internal network to external host drop traffic entering Internal interface. Why would you ever want to wait?
Also I want to have a config that denies specific ports from external to internal but allow everything else . and block icmp echo-reply out I think
access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 80
access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 25
access-list 110 permit icmp any any
access-list 110 permit IP any any (temp rule until I figure what is legit inbound and can add permits)
access-list 120 deny icmp 192.168.0.10 0.0.0.0 any echo-reply
access-list 120 permit icmp any any
access-list 120 permit IP any any
access-group 110 in (applied to outside interface)
access-group 120 in (applied to internal interface)