Access-list

Unanswered Question
Sep 6th, 2007
User Badges:

I am adding a new network 10.102.251.0/25 and for this network i have allow only http & https traffic.

I have one access-list 122 mapped to serial port through which internet traffic flows.

So how can i modify existing access-list as it is allowing all the traffic except some deny statements.

access-list 122 deny tcp any any eq 1025

access-list 122 deny tcp any any eq 2967

access-list 122 permit ip any any


Or should i create a new one say 123 access-list and map it to the serial interface.

Like

access-list 123 permit tcp 10.102.251.0 0.0.0.127 any eq 80

access-list 123 permit tcp 10.102.251.0 0.0.0.127 any eq 443



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fred.mancen Thu, 09/06/2007 - 12:03
User Badges:

Hey buddy.


I think it is easier to create a new ACL and map it to the interface, no doubt. The example is ok and it will work, once you need to permit just these two TCP ports and deny all other traffic.


Regards.

akachroo123 Thu, 09/06/2007 - 12:30
User Badges:

But when the internet traffic leaves the serial interface how will router decide which access-list to check.

does access-list have some priority.

Jon Marshall Thu, 09/06/2007 - 12:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You can apply one access-list per interface per direction. So you cannot apply 2 separate access-lists to the same interface in the same direction.


You need to combine your 2 access-lists into 1 and then apply that.


Jon

akachroo123 Thu, 09/06/2007 - 12:42
User Badges:

This is my exisiting access-list.

access-list 122 deny tcp any any eq 1025

access-list 122 deny tcp any any eq 2967

access-list 122 permit ip any any


I want to permit http traffic for this network 10.102.251.0/25.

So how can i combine them.

Jon Marshall Thu, 09/06/2007 - 12:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Which direction is access-list 122 applied in and which direction do you want to allow http to/from ?


Your access-list 122 has a permit ip any any which covers all tcp/udp/icmp so you shouldn't need to explicitly permit tcp/http.


Jon

akachroo123 Thu, 09/06/2007 - 13:13
User Badges:

Direction is out and i also want to apply out for the new network.


If i add network 10.102.251.0 before the last statement.it will not work, what i am guessing.

Jon Marshall Thu, 09/06/2007 - 13:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Your last line of access-list 122 says


permit ip any any


Therefore you do not need to add the lines for 10.102.251.0 as the ip any any covers this traffic.


Jon



Actions

This Discussion