Re: ACL [7:2882]
wouldn't that be a resource hog - Original Message - From: Allen May To: Sent: Wednesday, May 02, 2001 1:55 PM Subject: Re: ACL [7:2882] 1 reason would be to separate acl's per internal IP address you're permitting/denying access to. 101=specific IP allowing ftp and http, 102=different IP allowing http only, etc. It would look cleaner anyway - Original Message - From: Donald B Johnson jr To: Sent: Wednesday, May 02, 2001 3:19 PM Subject: Re: ACL [7:2882] Why - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 7:24 AM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=3029t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL [7:2882]
I'm sure there are plenty of people who know more about ACLs than I do...I just use 'em ;) But, correct me if I'm wrong, but doesn't it process every line in ACLs for the interface it's passing through until it finds a match for permit/deny? If you separate by ACL numbers you would have a few more lines...depending on the configuration maybe ALOT more lines...but it would be easier to manage and maintain in my opinion. The thing I'll have to play with this weekend is trying to combine an ACL for an outside interface that includes IPSec with TACACS+ authentication AND have regular access to the web servers on port 80 without authentication. If authenticated on IPSec you would have ports open for ftp. Now before we get into the fact that when you're authenticated you are on an inside interface no longer bound by external interface, consider also having IPSec router to router or PIX to PIX dedicated tunnels. Seems sadistic that I thought this up but it's actually a project I'm putting myself through...rofl. Later Allen - Original Message - From: Donald B Johnson jr To: Allen May ; Sent: Thursday, May 03, 2001 11:45 AM Subject: Re: ACL [7:2882] wouldn't that be a resource hog - Original Message - From: Allen May To: Sent: Wednesday, May 02, 2001 1:55 PM Subject: Re: ACL [7:2882] 1 reason would be to separate acl's per internal IP address you're permitting/denying access to. 101=specific IP allowing ftp and http, 102=different IP allowing http only, etc. It would look cleaner anyway - Original Message - From: Donald B Johnson jr To: Sent: Wednesday, May 02, 2001 3:19 PM Subject: Re: ACL [7:2882] Why - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 7:24 AM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=3047t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL [7:2882]
Am I correctly reading that you are terminating your IPSec tunnels on the same interface where the access-list in question will be applied? Are you running a router with the IOS firewall / IPSec feature set? Look, the rule is one access-list per direction per protocol per interface. Period. So no, you cannot have several IP access-lists applied in the same direction on a single interface. Them's the rules. That said, there is a separate access-list that defines traffic to be encrypted and sent through the VPN tunnel. This may be what you have in mind when you talk about several access-lists, each with a different function. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Allen May Sent: Thursday, May 03, 2001 8:52 AM To: [EMAIL PROTECTED] Subject:Re: ACL [7:2882] I'm sure there are plenty of people who know more about ACLs than I do...I just use 'em ;) But, correct me if I'm wrong, but doesn't it process every line in ACLs for the interface it's passing through until it finds a match for permit/deny? If you separate by ACL numbers you would have a few more lines...depending on the configuration maybe ALOT more lines...but it would be easier to manage and maintain in my opinion. The thing I'll have to play with this weekend is trying to combine an ACL for an outside interface that includes IPSec with TACACS+ authentication AND have regular access to the web servers on port 80 without authentication. If authenticated on IPSec you would have ports open for ftp. Now before we get into the fact that when you're authenticated you are on an inside interface no longer bound by external interface, consider also having IPSec router to router or PIX to PIX dedicated tunnels. Seems sadistic that I thought this up but it's actually a project I'm putting myself through...rofl. Later Allen - Original Message - From: Donald B Johnson jr To: Allen May ; Sent: Thursday, May 03, 2001 11:45 AM Subject: Re: ACL [7:2882] wouldn't that be a resource hog - Original Message - From: Allen May To: Sent: Wednesday, May 02, 2001 1:55 PM Subject: Re: ACL [7:2882] 1 reason would be to separate acl's per internal IP address you're permitting/denying access to. 101=specific IP allowing ftp and http, 102=different IP allowing http only, etc. It would look cleaner anyway - Original Message - From: Donald B Johnson jr To: Sent: Wednesday, May 02, 2001 3:19 PM Subject: Re: ACL [7:2882] Why - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 7:24 AM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=3103t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL [7:2882]
Here's what I've got for my IPSEC + NAT-incoming to server + NAT-outgoing for shared access: ACL protecting incoming on outside interface Route-map/ACL on all non-outside interfaces that jump IPSEC traffic around the NAT (via a loopback) Route-map/ACL defining what to NAT (called NoNAT, hehee!) ACL that defines what traffic to tunnel via IPSEC I posted the config a while back: http://www.groupstudy.com/archives/cisco/200104/msg01634.html Hmm, except this config was missing 'ip access-group 101 in' on the BVI1 outside interface. I must have had it disabled for a bit when troubleshooting. It's on there now ;-p What do I have to define all this junk? Well, when a packet is on it's way out from one of your public internal servers to a remote IPSEC host, it would first be picked up by the NAT engine. To make it not get NAT'd so that IPSEC can handle it, you've got to get it around that process, so a Route-map to a loopback works. From the loopback to the outside interface and beyond it'll match the ACL for the IPSEC. The NoNAT ACL is basically the reverse of all combined IPSEC ACLs. HTH. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Chuck Larrieu wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Am I correctly reading that you are terminating your IPSec tunnels on the same interface where the access-list in question will be applied? Are you running a router with the IOS firewall / IPSec feature set? Look, the rule is one access-list per direction per protocol per interface. Period. So no, you cannot have several IP access-lists applied in the same direction on a single interface. Them's the rules. That said, there is a separate access-list that defines traffic to be encrypted and sent through the VPN tunnel. This may be what you have in mind when you talk about several access-lists, each with a different function. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Allen May Sent: Thursday, May 03, 2001 8:52 AM To: [EMAIL PROTECTED] Subject: Re: ACL [7:2882] I'm sure there are plenty of people who know more about ACLs than I do...I just use 'em ;) But, correct me if I'm wrong, but doesn't it process every line in ACLs for the interface it's passing through until it finds a match for permit/deny? If you separate by ACL numbers you would have a few more lines...depending on the configuration maybe ALOT more lines...but it would be easier to manage and maintain in my opinion. The thing I'll have to play with this weekend is trying to combine an ACL for an outside interface that includes IPSec with TACACS+ authentication AND have regular access to the web servers on port 80 without authentication. If authenticated on IPSec you would have ports open for ftp. Now before we get into the fact that when you're authenticated you are on an inside interface no longer bound by external interface, consider also having IPSec router to router or PIX to PIX dedicated tunnels. Seems sadistic that I thought this up but it's actually a project I'm putting myself through...rofl. Later Allen - Original Message - From: Donald B Johnson jr To: Allen May ; Sent: Thursday, May 03, 2001 11:45 AM Subject: Re: ACL [7:2882] wouldn't that be a resource hog - Original Message - From: Allen May To: Sent: Wednesday, May 02, 2001 1:55 PM Subject: Re: ACL [7:2882] 1 reason would be to separate acl's per internal IP address you're permitting/denying access to. 101=specific IP allowing ftp and http, 102=different IP allowing http only, etc. It would look cleaner anyway - Original Message - From: Donald B Johnson jr To: Sent: Wednesday, May 02, 2001 3:19 PM Subject: Re: ACL [7:2882] Why - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 7:24 AM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations t
Re: ACL [7:2882]
yes and no - one per protocol, per direction - hence: interface serial1 ip access-group 101 in ip access-group 102 out ipx access-group 801 in ipx access-group 802 out would be fine Andy - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 3:24 PM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2886t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL [7:2882]
No. I don't think so CM -Original Message- From: BASSOLE Rock [mailto:[EMAIL PROTECTED]] Sent: 02 May 2001 15:24 To: [EMAIL PROTECTED] Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2888t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL [7:2882]
Only one per interface per protocol per direction. So, you can have ip and ipx both applied in the inbound and outbound directions. -kirk CCIE #7301 On Wed, 2 May 2001, BASSOLE Rock wrote: Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2894t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL [7:2882]
You can apply one ACL per interface per direction per protocol.So you can have more then one ACL on an interface, but each ACL has to be a different direction and/or protocol from the others. Brian At 10:56 AM 5/2/2001 -0400, Charles Manafa wrote: No. I don't think so CM -Original Message- From: BASSOLE Rock [mailto:[EMAIL PROTECTED]] Sent: 02 May 2001 15:24 To: [EMAIL PROTECTED] Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2895t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL [7:2882]
For routers only one ACL can be applied per protocol, per direction, per (sub) interface. For switches - same, but check to see if ACL is supported on the interface and for the protocol. -Original Message- From: BASSOLE Rock [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 02, 2001 10:24 AM To: [EMAIL PROTECTED] Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2896t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL [7:2882]
I believe the rule is: One Access List Per direction per interface Heather Buri CSC Technology Services - Houston Phone: (713)-961-8592 Fax:(713)-961-8249 Mobile: Alpha Page: Mailing:1360 Post Oak Blvd Suite 500 Houston, TX 77056 -Original Message- From: Charles Manafa [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 02, 2001 9:57 AM To: [EMAIL PROTECTED] Subject: RE: ACL [7:2882] No. I don't think so CM -Original Message- From: BASSOLE Rock [mailto:[EMAIL PROTECTED]] Sent: 02 May 2001 15:24 To: [EMAIL PROTECTED] Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] EOM NOTICE - This message contains information intended only for the use of the addressee named above. It may also be confidential and/or privileged. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2901t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL [7:2882]
Why - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 7:24 AM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2947t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL [7:2882]
Construct three access-lists, each doing what you specify. Then consider what would be gained or lost if you combined them into a single access-list. In the end, the router would have to process each line anyway. It may be that there are architectural reasons for the limitation of the number of lists per protocol. I have heard it said that in major shops, access-lists might contain hundreds of lines. Imagine troubleshooting one of those suckers! Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Allen May Sent: Wednesday, May 02, 2001 1:56 PM To: [EMAIL PROTECTED] Subject:Re: ACL [7:2882] 1 reason would be to separate acl's per internal IP address you're permitting/denying access to. 101=specific IP allowing ftp and http, 102=different IP allowing http only, etc. It would look cleaner anyway - Original Message - From: Donald B Johnson jr To: Sent: Wednesday, May 02, 2001 3:19 PM Subject: Re: ACL [7:2882] Why - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 7:24 AM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2959t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL [7:2882]
How about having a VPN and other server access from the internet users? You'd need an acl for VPN and one for non-encrypted traffic that doesn't need the same permissions that VPN did. VPN users would be internal and have access to ftp, telnet, etc on the same boxes external users should only have port 80, etc. I haven't thought this whole thing through yet so bear with me. No coffee this morning ;) - Original Message - From: Chuck Larrieu To: Allen May ; Sent: Wednesday, May 02, 2001 4:03 PM Subject: RE: ACL [7:2882] Construct three access-lists, each doing what you specify. Then consider what would be gained or lost if you combined them into a single access-list. In the end, the router would have to process each line anyway. It may be that there are architectural reasons for the limitation of the number of lists per protocol. I have heard it said that in major shops, access-lists might contain hundreds of lines. Imagine troubleshooting one of those suckers! Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Allen May Sent: Wednesday, May 02, 2001 1:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL [7:2882] 1 reason would be to separate acl's per internal IP address you're permitting/denying access to. 101=specific IP allowing ftp and http, 102=different IP allowing http only, etc. It would look cleaner anyway - Original Message - From: Donald B Johnson jr To: Sent: Wednesday, May 02, 2001 3:19 PM Subject: Re: ACL [7:2882] Why - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 7:24 AM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2960t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL [7:2882]
Define some networks and type up the ACLs and we'll show you how to combine them (or you'll probably see it as you flesh them out). -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... How about having a VPN and other server access from the internet users? You'd need an acl for VPN and one for non-encrypted traffic that doesn't need the same permissions that VPN did. VPN users would be internal and have access to ftp, telnet, etc on the same boxes external users should only have port 80, etc. I haven't thought this whole thing through yet so bear with me. No coffee this morning ;) - Original Message - From: Chuck Larrieu To: Allen May ; Sent: Wednesday, May 02, 2001 4:03 PM Subject: RE: ACL [7:2882] Construct three access-lists, each doing what you specify. Then consider what would be gained or lost if you combined them into a single access-list. In the end, the router would have to process each line anyway. It may be that there are architectural reasons for the limitation of the number of lists per protocol. I have heard it said that in major shops, access-lists might contain hundreds of lines. Imagine troubleshooting one of those suckers! Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Allen May Sent: Wednesday, May 02, 2001 1:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL [7:2882] 1 reason would be to separate acl's per internal IP address you're permitting/denying access to. 101=specific IP allowing ftp and http, 102=different IP allowing http only, etc. It would look cleaner anyway - Original Message - From: Donald B Johnson jr To: Sent: Wednesday, May 02, 2001 3:19 PM Subject: Re: ACL [7:2882] Why - Original Message - From: BASSOLE Rock To: Sent: Wednesday, May 02, 2001 7:24 AM Subject: ACL [7:2882] Hi, Can we apply more then one ACL per interface?.. Example: Interface Serial1 ip access-group 102 in ip access-group 103 out ip access-group 104 in ip access-group 105 out Thank you. Rock BASSOLE Til: +33 (0) 1 45 96 22 03 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2965t=2882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]