! SAMPLE ACL ! !Notes- !DNS resolution must be happening locally !Default gateways must be configured on each side of the network !If you were doing this between a LAN and the Internet, you would have NAT to take into account !Reflexive access-lists or firewall features can be used to improve on this ip access-list extended less-secure remark allow all hosts on 10 net to access web server permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.200 eq www permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.200 eq 443 remark allow RESPONSE to secure PC's requets for access to web, ftp control, data, smtp, and pop3 on 10 net permit tcp 10.1.1.0 0.0.0.255 eq www host 192.168.1.201 permit tcp 10.1.1.0 0.0.0.255 eq ftp host 192.168.1.201 permit tcp 10.1.1.0 0.0.0.255 eq ftp-data host 192.168.1.201 permit tcp 10.1.1.0 0.0.0.255 eq smtp host 192.168.1.201 permit tcp 10.1.1.0 0.0.0.255 eq pop3 host 192.168.1.201 ip access-list extended more-secure remark allow web server to respond to all hosts on 10 net permit tcp host 192.168.1.200 eq www 10.1.1.0 0.0.0.255 permit tcp host 192.168.1.200 eq 443 10.1.1.0 0.0.0.255 remark allow PC full access to make requests to less secure network permit tcp host 192.168.1.201 10.1.1.0 0.0.0.255 int fa4 ip access-group less-secure in int vlan1 ip access-group more-secure in