Inbound access lists are applied to packets coming into the interface. The inbound list is applied before other things such as routing descisions, crypto maps, route maps, etc.
Outbound lists are applied to packets leaving the interface. Since the packet is leaving the interface, most other packet functions have already been applied.
Here are some examples:
description External Interface
ip address W.X.Y.Z 255.255.255.248
ip access-group 160 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no cdp enable
crypto map vpn_map
access-list 160 permit esp any host W.X.Y.Z
access-list 160 permit gre any host W.X.Y.Z
access-list 160 permit udp any host W.X.Y.Z eq isakmp
access-list 160 permit ahp any host W.X.Y.Z
access-list 160 permit tcp host E.F.G.H host W.X.Y.Z eq 3389
access-list 160 permit tcp host R.S.T.U host W.X.Y.Z eq 3389
access-list 160 deny tcp any host W.X.Y.Z eq 3389 log
access-list 160 deny ip any any
In the above example the interface f4 connects to the Internet. The inbound access list allows some packets through and blocks others. The letters are just put in place of ip address octets. Since it is an inbound list, packets going out of the interface (to the Internet) are not affected, but packets coming in (from the Internet) are permitted or denied according to the access list.
· 1 decade ago