access-list syntax for ports on both source and destination(?)

Unanswered Question
May 16th, 2007
User Badges:

I can't find any solid/clear documentation and I haven't been able to test this. Is there any difference between


the single acl statment


permit tcp host 192.168.10.10 host 192.168.20.20 eq 80


and


permit tcp host 192.168.10.10 eq 80 host 192.168.20.20

permit tcp host 192.168.10.10 host 192.168.20.20 eq 80


Doesn't the first single acl statement encompass what the other two statements do together. Or, is specifying a port for both source and destination necessary to limit traffic between the two devices only over that particular port in this example port 80. Let's also say this is on a 'out' access-group instead of a 'in' one.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ankbhasi Wed, 05/16/2007 - 08:36
User Badges:
  • Cisco Employee,

Hi Friend,


I believe your requirement is to permit 10.10 host to allow tcp connection to 20.20 host on destination port 80 and for that purpose your first access list will give you the desired results.


When the TCP port 80 connection will be initiated from your source it will never have source port as 80 and it will be having some randm port number above 1024 so your first statment in second access list criteria will have no affect.


HTH


Ankur


*Pls rate all helpfull post

acomiskey Wed, 05/16/2007 - 08:39
User Badges:
  • Green, 3000 points or more

I will attempt to answer your question.


Typically, specifying source port and destination is not necessary especially when the source port is not usually known. Actually, the two statements in the second set would not exist in the same acl anyway. If you had a non-stateful firewall it would actually be like this for 10.10 to hit 20.20.


access-list out permit tcp host 192.168.10.10 host 192.168.20.20 eq 80


access-list in permit tcp host 192.168.20.20 eq 80 host 192.168.10.10


In your example, if the two statements were in the same acl, you would be allowing 10.10 to hit 20.20 on port 80 and also allowing 10.10 source port 80 to 20.20, which would occur if lets say 20.20 initiated http traffic to 10.10. So they are very different. Hope that makes sense.

Actions

This Discussion