Ramesh, Access-lists are processed from the point of view of the router, "in" means "in my interface" and "out" means "out my interface", so it's the opposite of the way your viewing it.
The PIX has a default behavior of allowing all packets from a higher security interface to a lower security interface and only allowing return traffic from a lower security interface to a higher security interface. You only need access-lists if you want to change this behavior, so the access-lists only need to be applied "in" on a higher security interface (to _block_ inside initiated traffic that would normally be allowed) or "in" on a lower security interface (to _allow_ outside initiated traffic that would normally be blocked). Routers have a default behavior of allowing all traffic, so you may need both "in" and "out" acls that you would not need on the PIX. HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ramesh c Sent: Wednesday, December 05, 2001 7:02 AM To: [EMAIL PROTECTED] Subject: Access-list [7:28188] Folx, A)I got 2 networks connected by a router.I apply access-group for both in and out of the interface. Is my assumption correct?????.... 1)The access list for "in" would be processed when the packet leaves that interface to diff network? 2)The access list for "out" would be processed when the packet arrives from different network? But in case of Pix..why there is only "in"? cheers Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28209&t=28188 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
