Which direction should ACL be applied

Hello there,
I'm adding ACLs to lock down the LAN environment and my core is a 4510+R.  I want to block port 80, 443 and 8080 from coming INTO the network.  My security guy tells me users use port 80, 443 and 8080 to get out and web services use other ports to come back  in.   I want to use an extended access-list the likes of:
ip access-list extended NO_HTTP
deny tcp any any eq 80
deny tcp any any eq 443
deny tcp any any eq 8080
permit ip any any
My confusion is:  which direction on my SVI do I apply this ACL if I want users to be able to access web sites but block inbound traffic on 80, 443 and 8080? All information I've been able to read says to apply extended ACLs as close to the source as possible.  With an SVI, that seems like a grey area?
Any kind of clarification on this would be most helpful and appreciative.
Thanks very much in advance,
Kiley

I think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.

Similar Messages

  • Should ACL be applied on port in Closed mode

    Hi,
    while reading about Closed mode deployment of ISE, I came across conflict in Cisco's "HowTo-10-Universal_Switch_Config" and "HowTo-25-Closed_Mode" documents.
    According to "HowTo-10-Universal_Switch_Config", in Closed Mode, we need to apply a ACL on switch port as follows 
    ip access-list ext ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Drop all the rest
    deny ip any any log
    But according to "HowTo-25-Closed_Mode", in Closed Mode, we don't apply this ACL on switchport.
    So my question is, if the ACL need to applied on Switchport or not..and how it will affect switchport 
    Thanks,
    Aditya

    Hello Aditya-
    Very good question. The default ACL will always be there on the switch weather you configure one or not. Check out this document:
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/sw8021x.html#pgfId-1193896
    You have two options:
    1. Create your own default ACL to avoid the default one (that only allows DHCP). Your default ACL should be more permissive than the default one. For instance, mine always included "permit ip any any." That way authenticated and authorized hosts are not blocked from accessing any resources on the network. 
    2. Always return a DACL in your ISE authorization profiles (even if it is just "permit ip any any". That way the default-ACL is removed
    I prefer method number #2 that way I don't have to bother with the default ACL and it also allows me to control traffic based on the different authorization profiles and DACLs that I apply.
    I hope this helps!
    Thank you for rating helpful posts!

  • Which .exe file I should choose to apply SP2 for SQL Server 2008r2 Enterprise Edition 64Bit

    Hi All,
    Which .exe file I should choose to apply SP2 for SQL Server 2008r2 Enterprise Edition 64Bit.
    And what is the difference between below .exe files. 
    SQLServer2008R2SP2-KB2630458-x64-ENU.exe
    SQLServer2008R2SP2-KB2630458-IA64-ENU.exe
    Grateful to your time and support. Regards, Shiva

    Good day
    Shiva Shakthi,
    I have change the type of the thread to a question, as this is a question :-)
    please chose the right type next time. If you have a question then use a question thread (this is the default), and that will let you mark the answers that you get.
    Have a nice day :-)
    [Personal Site] [Blog] [Facebook]

  • Not sure which direction I should be heading

    I'm going to drop a lot of money on equipment sometime during the next six months, and I'm really not sure which direction I should take this. As I see it I could either go with everything hardware, or I could go with Mainstage. Basically, what I want is to get the sound of me and my keyboardist up to snuff, as it's currently not that great.
    What I'm thinking of getting for now:
    Hardware route:
    Nord Electro 73
    a magically great guitarfx
    Software route:
    Mainstage
    M-Audio Profire 2626
    Midi foot controller
    Macbook Pro 3,06GHz 4GB RAM
    As you can see, the Mainstage route will be more expensive. At the same time it will offer more flexibility, and the ability for more bandmates to join in in the future.
    Keyboardist will use the following sounds:
    - Piano
    - Rhodes w/ effects
    - B3
    - Clavinet
    - Solina
    - Strings
    - (Maybe some C64 SID-sounds)
    I guess that's it for now.
    Guitarist (me) will use:
    - Overdrive
    - Amp simulator
    - Delay (I know this takes a lot of processing power, so only one or two delay-fx simultaneously.)
    - Other, typical guitar-fx.
    If I go hardware I'll go with a multi-fx, but I have yet to find any that will let me tap the tempo on one patch and then keep that tempo when I go to the next patch, so they get kind of limited.
    We will both be playing at the same time, and latency is important. I want to use it at 16bit/44,1KHz, as I guess that's the lowest I can go. I want to be able to play with 32 sample buffer. At 64 samples the latency gets too long. I guess I could get used to it, but the day I try to run my bassist or other guitarist og lead vocals or backing vocals through Mainstage I don't want to have to excuse the latency.
    Is it stable enough? I plan on using the computer as a Mainstage-only laptop, not installing anything except Mainstage and maybe a few plugins. It'll normally not be connected to the internet, with Airport turned off.
    There's probably a lot of stuff I've forgot to mention, that I might think of later, but the main question is; which route would you go in my situation? Hardware or software?
    Message was edited by: hanerlend
    Message was edited by: hanerlend

    Stability will be risky on mainstage. Some people have no problems, other have lots of cpu issues.
    I've been running one keyboardist and a backingtrack loaded into exs24 and have had one problem during a show that required a reboot.
    EXS24 stopped playing a backing track twice as well - which was pretty major.
    I'll be using playback for backing tracks and will not be sending my guitar through the computer. We will also have a drummer playing now, so if the computer breaks, we'll lose keyboards and will be able to continue on and end a song.
    I think it's an acceptable risk for the flexibility and cost savings - since I already had a laptop and all the midi gear. And I try to accept a bit of glitchyness as it's a new program. Hopefully that will be changing over the next few months - as this latest version seems more stable and updates should add to that.
    If I were a major act playing large shows, *I would not be using it*. And if it continues to cause problems, we'll be looking for something else.
    I used the logic environment for our last band. We had three keyboards for three separate people - that worked pretty much flawlessly.

  • ACLs never apply to traffic generated by the router

    http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
    "Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
    Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?

    Thanks Rick,,,I need some clarification about the below scenario please:
    suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
    the ip address for e0/0 172.16.0.1/16.
    R1(config)=access-list 101 deny ip any any
    R1(config)#interafec serial 0/0
    R1(config-if)#ip access-group out
    R1(config)=access-list 150 deny ip any any
    R1(config)#interafec fastethernet 0/0
    R1(config-if)#ip access-group in
    Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
    1- ((The inbound ACL will deny all traffic)).
    This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
    2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
    This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
    The source and destination ip addresses still matching the condition of ACL , why should't it be
    denied ?

  • Sending URL's to outllook which directly links to th workitem of the UWL

    My project which was developed on ASP with oracle is now being re-designed into enterprise portals and SAP R/3 4.6c. Here the scenario is when a user creates or changes a pricing condition on the PORTAL .it should trigger a workflow in SAP r/3 which goes through a loop of approval process and finally gets approved or rejected.
    Here the notifications are sent to the approver’s outlook where the outlook subject should contain two links, the first should link to the portal UWL and the second should link to the respective WORKITEM in the UWL.
    My questions are
    1)     How an event on the portal side does trigger a workflow at the backend?
                Do we need to explicitly raise the event in the BAPI for create/change to trigger workflow using SWE_EVENT_CREATE or is there any alternative?
    2)     How to send a notification to the outlook with URL’s which directly points to UWL and respective work item in the portal UWL?
                     I gone through the EXTENDED NOTIFICATIONS FOR SAP Business WORKFLOW help file but I didn’t a clear picture of it.
                             It is all with the BSP’s in the help file?
    3)     Its only configuration that we do in the portal to  get all the work items from  SAP inbox or Do we need to do any extra coding to get all the work items into the UWL ?
    Please do the need full .Basically I am new to WEBFLOW. So, if possible spare some time and send me the flow and the solutions in detail.
    Advance thanks…
    Warm regards,
    Sateesh

    Hi sateesh
    To make RSWUWFML2 work at least you have to do:
    1. Set up SAP Gatway to connect to Outlook (SCOT) as type INT
    2. There are some settings additional that basis will have to carry out - CHECK OSS for that
    3. Ensure all the users have home email address
    4. In SO16 Tab MailSySgRP choose send email to user's home address
    5. Then in SAP schedule report RSWUWFML2 (frequency should be ideally
    every 10 min -depends on the volume of emails)
    You will find further information in note: 733681
    If the requirement for direct acces to the workitem in the UWL is very important you could do the following:
    Make a copy of the report ie. ZRSWUWFMS2 and make the appropriate changes in the code and schedule that instead. This is not recomendable, since all changes made to the report by SAP will be lost to you.
    Hope it helps
    Kind regards
    Mikkel
    Message was edited by: Mikkel Iversen

  • Is there an order in which i should learn the CC/CS applications? Does it help in a certain order?

    I'm new to all CS applications, though I'm familiar wit the concepts. I just bought CC and want to start teaching myself how to use each app (primary end goal being photoshop, illustrator, and inDesign). is there an order in which i should learn the apps that makes it easier to comprehend it and others?
    thanks!

    Hi Blair,
    Personally, I think they are all unique enough in their own right that the order wouldn't really matter. I'm biased towards Photoshop. You might want to spend time going through the content here:
    http://tv.adobe.com/show/learn-photoshop-cc/
    http://tv.adobe.com/show/learn-illustrator-cs6/
    http://tv.adobe.com/show/learn-indesign-cc/
    and here
    https://helpx.adobe.com/creative-cloud/products.html
    If you already know the concepts, it will be a matter of learning the interface and how to apply the concepts in practice.
    -Dave

  • Want to learn SAP - which module should opt for...

    one of my friend is in to Retail domain..non SAP Domain working with one retail channel as a store manager. ...Wants to learn SAP....which module should he go for..SD / CRM / or direct IS_Retail certification...as a fresher where he will be able to get chance...???
    i am working as a SAP Recruiter in some company..so i am aware that there is not much demand for fresher in this industry..
    please guide...

    Plenty of information about Retail education on <a href="https://websmp104.sap-ag.de/RETAIL">Service Marketplace - Retail</a> where you will find course descriptions.  For example:
    This curriculum comprises an Overview Course (Level 2), which explains the main retailing processes in SAP for Retail, plus seven Detailed Courses (Level 3), which examine specific retailing processes and how these are mapped and controlled in SAP for Retail.
    The Overview Course IRT100 (Retail Process Overview) explains the core processes of a retailing company. Based on a scenario in which merchandise is sold from stores, the course demonstrates how the store and distribution center are supplied with goods. Further process examples are the special cases of promotions and return of merchandise.

  • Which One Should I Choose?

    When I launch Disk Utility, I'm asked to select a disk, volume, or image.  I'm enclosing a photo of my hard drives.  For instance, if I wanted to repair disk permissions on "Hard Disk," there appear to be two choices.  Choice one: Hard Disk icon.  Choice two: Hard Disk icon and number 74.5 GB ST380021A
    Which one should I choose to repair?
    The same choices are given to the other two hard drives that I have.  Two choices per hard disk?
    I use a Dual 1 GHz PowerPC G4 (QuickSilver 2002); running OS X 10.5.8 Leopard.

    Niel is correct, for repairing permissions etc you can use ether...
    The upper icon (ST380021A) represents the device, the icon underneath it (Hard Disk) represents a partition, (you can divide the disk up into multiple partitions)
    If you select the device, actions will affect all partitions, (i.e. fix permissions on all partitions on that device) whereas selecting an individual partition will only affect that one partition.
    One thing that breaks this is the partition tab, which applies to the current device and all of it's partitions even if you are only selecting one if it's partitions.

  • Ip redirects - which direction?

    I am troubleshooting an issue with CPU utilization on a 3750X stack. The show controllers cpu-interface tells me that the icmp queue counter is growing quite fast ... about 5000 per second. I read that this is a queue for ICMP redirect messages.
    Now, I know what ICMP redirects are about, and how they are supposed to work. What I need to know is what would be the effect of the no ip redirects command on the SVI of the switch? Which direction of traffic does it apply to? Would it be:
    If I receive a packet, and I know a better router that could handle it, but I will not send a redirect to tell the host so,
    If I forward a packet, and receive a redirect, then I will not take the redirection into account,
    Both of the above,
    None of the above.
    Thanks in advance.
    Kevin Dorrell
    Luxembourg

    Thanks for all your help guys.  This forum is awesome.  Yes, I know I could sort it out by going into a corner with GNS3, but somehow talking it over with my peers is a much better way of learning.
    Anyway, I did  go and try a few things in the lab.  First of all, Rick is right to say that the router does not take any account of incoming redirects ... unless you have no ip routing, in which case you have a host and not a router any more.  If you do disable ip routing, then it does take account of redirects, storing them in a cache which you can see with show ip redirects.  Now, if it is acting as a host, can you get it to ignore the redirects?  No you cannot.  The command no ip redirects has no effect on incoming redirects.  So the router is behaving as a host, and not a very secure one at that(!).
    I also tested the normal operation of ip redirects, and no ip redirects does disable the generation of IP redirect message.
    I did find one difference between my router lab and my live production 3750X though.  In the lab, my 3640 did not attempt to generate an ip redirect to the alternate gateway unless the alternate gateway was on the same subnet as the source of the original packet.  So it would not generate a redirect for a packet that was coming in from its primary subnet and getting sent out to a gateway in its secondary subnet.
    Kevin Dorrell
    Luxembourg

  • JEditorPane and JTextPane,which one should I choose?

    I wanna develop a Java IDE, Could anybody kindly give me suggestions on which component should I choose to use for the editor of the IDE? why? and what is the difference of "StyledDocment" and "PlainDocument"?
    thanks so much!!!!

    I'm not going to give you the answer rather direct you to read Vorobiev's SWING book. Lots of good examples.
    Good luck.

  • Which services should be moved to a new SharePoint Enterprise Application server?

    Our farm is currently a WFE and a SQL server. I've been tasked with creating a new SP Enterprise Application/Search server.
    Which services should be moved? This is what's currently listed in Services on Server:
    Access Database Service  Started  Stop 
    Application Registry Service  Started  Stop 
    Business Data Connectivity Service  Started  Stop 
    Central Administration  Started  Stop 
    Claims to Windows Token Service  Started  Stop 
    Document Conversions Launcher Service  Stopped  Start 
    Document Conversions Load Balancer Service  Stopped  Start 
    Excel Calculation Services  Started  Stop 
    Lotus Notes Connector  Stopped  Start 
    Managed Metadata Web Service  Started  Stop 
    Microsoft SharePoint Foundation Incoming E-Mail  Started  Stop 
    Microsoft SharePoint Foundation Sandboxed Code Service  Stopped  Start 
    Microsoft SharePoint Foundation Subscription Settings Service  Stopped  Start 
    Microsoft SharePoint Foundation Web Application  Started  Stop 
    Microsoft SharePoint Foundation Workflow Timer Service  Started  Stop 
    PerformancePoint Service  Started  Stop 
    Search Query and Site Settings Service  Started  Stop 
    Secure Store Service  Started  Stop 
    SharePoint Foundation Search  Stopped  Start 
    SharePoint Server Search  Started  Stop 
    User Profile Service  Started  Stop 
    User Profile Synchronization Service  Started  Stop 
    Visio Graphics Service  Started  Stop 
    Web Analytics Data Processing Service  Started  Stop 
    Web Analytics Web Service  Started  Stop 
    Word Automation Services  Started  Stop 

    Take a look at http://www.microsoft.com/en-us/download/details.aspx?id=37000. It should help you decide where it is most appropriate to locate services.
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Sharepoint 2013 - Which Server Should Run Microsoft SharePoint Foundation Sandboxed Code Service

    We have just deployed Sharepoint 2013 and also CRM 2011..
    Our Sharepoint 2013 Environment has a WFE and an APP server and we have a CRM 2011 box.
    We have been getting the following error in IE when Users in CRM are clicking on the Document Link under accounts which links to Sharepoint 2013
    "This Content cannot be displayed in a frame
    To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame."
    It seems like it is a IE Security Issue, but I am suspecting it could be the Microsoft SharePoint Foundation Sandboxed Code Service.
    Which server should be running the Microsoft SharePoint Foundation Sandboxed Code Service| WFE or APP.
    Also which server should run the Windows Service: SharePoint User Code Host
    Thank you in advance.

    Hi,
    Please have a look at the following post:
    http://technet.microsoft.com/en-us/library/jj219591.aspx
    As it describes, the recommendation is for both services to start it on the Web Front End servers.
    Cheers,
    Vincent

  • Multiple Apple ID's, which one should be main iCloud ID on iOS 5?

    Hey!  Seems like iCloud is a bit more complex to setup than I had thought it would be.  Here's the situation.  I have two Apple ID's.  One is my @me.com account that I just migrated to iCloud.  Second Apple ID is an @gmail.com account that I use for all of my iTunes purchases (also migrated to iCloud.  I know you can have multiple Apple ID's setup in iOS (by means of "Mail, Contacts, Calenders"), but there is only room for one account under the "iCloud" tab/setting under iOS settings.  Which one should be used here?  My @me.com, or the one I use for iTunes purchases? ...or does it even matter?  Just want to set everything up optimally from the start so I don't have to go back later and correct something.
    Thanks all for your assistance!

    Try here >  Apple IDs and iCloud

  • Firefox 4 seems to action on some html tags that are included within a html comment tag which it should not.

    Consider the following html code where I open a textarea and include a comment tag within the textarea. Within the comment tag (which Firefox 4 should ignore) I've included a close textarea tag. Firefox 4 (unlike FF3 and IE) closes the textarea.
    The following code is also available at
    http://www.cems.uwe.ac.uk/caa/ffbug/index.html
    We are about to start a textarea....<p>
    <pre><nowiki><textarea rows='20' cols='40'>
    Here is the textarea.
    Inside these comment blocks I'll put a close textarea tag which Firefox should ignore but does not.
    <p>
    <!--
    We are now inside comment blocks...
    <br>
    This code should be inside the text area.<br>
    </textarea>
    <br>
    and so should this code be <b>inside</b> the text area (but is not in Firefox 4).
    -->
    </textarea>
    <p></nowiki></pre>
    This code should be outside the textbox.

    Try posting at the Web Development / Standards Evangelism forum at MozillaZine. The helpers over there are more knowledgeable about web page development issues with Firefox. <br />
    http://forums.mozillazine.org/viewforum.php?f=25 <br />
    You'll need to register and login to be able to post in that forum.

Maybe you are looking for

  • Mac HD no longer shows up in Vista

    I installed the bootcamp update that is recommended before upgrading to Windows 7. However, my Windows 7 upgrade was unsuccessful due to my existing version of Windows (evidently Vista Ultimate cannot be upgraded to Windows 7 Home edition). Anyway, I

  • Mpeg-4 wont play in latest itunes

    I converted some dvd files to mpeg-4, and it plays in windows media player, nero, my IPOD, etc, but NOT in Itunes/Quicktime (they both use the same player). In those two, audio comes out, but no video, just a black screen (I tried some trouble shooti

  • Mail doesn't allow a new POP Account

    Mail doesn't allow me to create a new POP account... I all ready have 3 accounts including .Mac account and 2 more POP mail accounts and works fine!!!! Last week I re installl all my preference (I clean up my MAC)and always works fine... but not anym

  • Unlocking file in sample editor

    After recording an audio file, I have attempted to go into the sample editor to make some alterations to the recording. After highlighting the area and pressing delete I get a pop-up message that says: "This audio file cannot be changed! Volume or fi

  • Preventing caching of pages

    Hi, I'm having a problem preventing my jsp pages from caching. On my jsp page I have an ordimage object in a table, the source of which is the url of a servlet which serves up an image. If I navigate to a new page and on this page change the image of