I have a Cisco 837 which is the default gateway on the LAN, and also the router with a couple of static routes set. I am using a Proxy server on the LAN for monitoring Internet access, and to force clients to use the proxy I've been using a standard ACL on the Ethernet interface of the 837, to deny any ip addresses except the proxy server and a few others. I've come to the conlusion that the ACL should be on the dialer interface, because clients on the LAN which are restricted by the ACL don't seem able to "recognise" the static routes. Clients which are permitted through the ethernet interface can. So because I want all clients to see the route I think I need to set up the ACL for Internet access on the dialer interface. Am I right so far? Can I just take the ACL off the ethernet "in" interface and apply it to the "out" interface of the dialer? The "in" interface of the dialer has an extended ACL. I've tried putting statements like the following in that but it doesn't work:100 permit tcp host (Proxy IP) any eq www 105 permit tcp host (Another server IP) any eq www 110 deny tcp any any eq www 150 deny ip any any
That allows all traffic through. There's a whole lot more in this extended ACL that I don't really understand, hence my question about applying the ACL to the "out" interface which currently does not have an ACL. If I need to use the extended ACL on the "in" interface, where am I going wrong?