We have a dept that is no longer on our network for most things, but
they do need access to a couple of resources. I'm trying to ACL them
off from everything but what they need, but I'm having some issues with
it.

Setup is like this:

Our server network: 192.168.10.0/24
T-1 network betw us & this dept: 10.1.60.0/24
Our WAN side is 10.1.60.1
Their WAN side is 10.1.60.2
Their network: 192.168.222.0/24

ACLs I want to use:

ip access-list extended FD_to_CRT
permit ip any host 192.168.10.2
permit ip any host 10.5.1.3
permit ip any host 192.168.10.18
deny ip any any
ip access-list extended CRT_to_FD
permit ip host 192.168.10.2 any
permit ip host 10.5.1.3 any
permit ip host 192.168.10.18 any
deny ip any any


I have my router broken into subinterfaces for our different vlans.

My question is, do I need to put the FD_to_CRT ACL on the subinterface
that's connected to my server vlan and the CRT_to_FD ACL on the wan T-1
interface that's connected to their router?

I've tried putting both acls on the WAN interface, but then they are
not able to connect to anything.

--
Stevo