access-list syntax for ports on both source and destination(?)

lastnight · ‎05-16-2007

I can't find any solid/clear documentation and I haven't been able to test this. Is there any difference between

the single acl statment

permit tcp host 192.168.10.10 host 192.168.20.20 eq 80

and

permit tcp host 192.168.10.10 eq 80 host 192.168.20.20

permit tcp host 192.168.10.10 host 192.168.20.20 eq 80

Doesn't the first single acl statement encompass what the other two statements do together. Or, is specifying a port for both source and destination necessary to limit traffic between the two devices only over that particular port in this example port 80. Let's also say this is on a 'out' access-group instead of a 'in' one.

ankbhasi · ‎05-16-2007

Hi Friend,

I believe your requirement is to permit 10.10 host to allow tcp connection to 20.20 host on destination port 80 and for that purpose your first access list will give you the desired results.

When the TCP port 80 connection will be initiated from your source it will never have source port as 80 and it will be having some randm port number above 1024 so your first statment in second access list criteria will have no affect.

HTH

Ankur

*Pls rate all helpfull post

acomiskey · ‎05-16-2007

I will attempt to answer your question.

Typically, specifying source port and destination is not necessary especially when the source port is not usually known. Actually, the two statements in the second set would not exist in the same acl anyway. If you had a non-stateful firewall it would actually be like this for 10.10 to hit 20.20.

access-list out permit tcp host 192.168.10.10 host 192.168.20.20 eq 80

access-list in permit tcp host 192.168.20.20 eq 80 host 192.168.10.10

In your example, if the two statements were in the same acl, you would be allowing 10.10 to hit 20.20 on port 80 and also allowing 10.10 source port 80 to 20.20, which would occur if lets say 20.20 initiated http traffic to 10.10. So they are very different. Hope that makes sense.