In article , S W wrote: :If I want to open a port on a C837 and only allow certain IP addresses in, :and only allow outgoing traffic through that port to certain IP addresses, :can I do that with a standard ACL?
You would normally do that via two ACLs, one "in" the outside interface, and the other "in" the inside interface.
:I'm not familiar with extended ACLs, so if I can't use a standard ACL, could :you point me in the right direction for using an extended one?
Something like...
access-list 101 permit tcp any host SERVER established access-list 101 permit tcp host SRCCLIENT1 host SERVER eq PORTNO access-list 101 permit tcp host SRCCLIENT2 host SERVER eq PORTNO
access-list 102 permit tcp host SERVER any established access-list 102 permit tcp host SERVER eq PORTNO host DSTCLIENT1 access-list 102 permit tcp host SERVER eq PORTNO host DSTCLIENT2
interface ATM0/1.1 ip access-group 101 in
interface FastEthernet0 ip access-group 102 in
But you won't be happy with the result, not unless you also allow appropriate DNS traffic and whatever web surfing and so on...