Here are some guidelines for using ACLs:

Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.

You can apply an ACL to multiple interfaces. However, there can be only one ACL per protocol, per direction, and per interface. Create ACL names. For example, an extended ACL can simultaneously allow e-mail traffic from a network to a specific destination while denying file transfers and web browsing.

When to Use Dynamic ACLs

Some common reasons to use dynamic ACLs are as follows:

When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user and then permits limited access through your firewall router for a host or subnet for a finite period. When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local hosts. Lock-and-key requires the users to authenticate through a AAA, TACACS+ server, or other security server before it allows their hosts to access the remote hosts

DHCP DHCP is not the only service that the router can be configured to relay. By default, the ip helper-address command forwards the following eight UDP services:

Port 37: Time Port 49: TACACS Port 53: DNS Port 67: DHCP/BOOTP server Port 68: DHCP/BOOTP client Port 69: TFTP Port 137: NetBIOS name service Port 138: NetBIOS datagram service

To specify additional ports, use the ip forward-protocol command to specify exactly which types of broadcast packets to forward.

NAT Static NAT uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices.