Access list doing the same thing

Unanswered Question
Dec 10th, 2007

Hey guys, I have an access list which is applied to the outside interface. There are 2 lines, however that I think they might be doing the same thing and I want to know if I can get rid of one. They both get hits though when I do a "sh access-list 110"

access-list 110 permit udp any any eq isakmp

access-list 110 permit udp any eq isakmp any


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Mon, 12/10/2007 - 17:15

They aren't doing the same thing and you haven't told us which direction the ACL was applied.

On the first ACL, you are allowing isakmp on the destination host(s) while on the second ACL, you are allowing isakmp on the source host(s).

insccisco Mon, 12/10/2007 - 17:23

sorry for that.

In int4, there is a line "ip access-group 110 in" so I assume, and I think this is right :), that the ACL is applied to all traffic coming from the outside (internet) towards the network (inside)... please correct me if Im wrong.

There isn't any ACLs applied to the inside interface, which I believe it means anything outbound from the inside is allowed.

my apologies for the fragil questions, I'm trying to get this right and be strong on the basics before moving forward

Edison Ortiz Mon, 12/10/2007 - 17:26

My previous explanation still stands. You are allowing bi-directional traffic for the isakmp port. Removing one ACL will affect this traffic, so leave as is.

insccisco Mon, 12/10/2007 - 17:42

I see. But wouldn't it be redundant as all outbound traffic is already allowed, thus safely remove the second line, and only keep and use the first line (access-list 110 permit udp any any eq isakmp)?

When you make and outbound connection, once that connection is established, doesn't the router allows anything inbound from the destination during the session? and because is ISAKMP, you do have to allow this protocol in the inbound direction, so line 1 wouldn't already be allowing for this?

Edison Ortiz Mon, 12/10/2007 - 19:20

Usually only the destination would be listed in the allowed port but due to the nature of the IPSec traffic, both the source and destination use that port.

For instance, if you are running a web server, only the server needs to be allowed on port 80. The end-devices connecting to this web server will use high random ports (1024 and above) which is allowed by the ACL.

On this case, the application behaves differently as the end-devices and the vpn server utilizes the isakmp port, not high random ports.

Richard Burts Mon, 12/10/2007 - 20:12


I am glad that you are trying to get strong on the basics. Here is an important basic concept: if both access list lines are getting hits then they are not redundant. If a packet gets to the second line and matches the second line (which produces a hit) then it did not match the first line, because access list processing stops when it gets to the first match.

So if you remove either of the lines you will be changing the behavior and some traffic that is getting through currently will start being denied.

I will admit that I am a bit surprised that both lines are getting hits. In my experience using ISAKMP both the source port and the destination port are the same (both sourece port and destination port are UDP ISAKMP). But if both lines of your access list are getting hits then obviously there is traffic in your network that is not working the way that I would expect.



insccisco Tue, 12/11/2007 - 00:03

I have to be honest but I was very close to removing one of the lines. But thanks to you guys I didn't.

I have few networks where we use Cisco all the way, and as time goes by, I want/need to understand each line of each running config I have.

The less lines, the better (for me :) ) One Cisco TAC guy told me that there are Cisco Best Practices and that's exactly where I will like to get.... just like MS Windows where, almost with my eyes closed, I remove tons of unneeded services/files/programs before deployment :)

Jon Marshall Tue, 12/11/2007 - 00:10


One thing you might consider is adding the "log" keyword to the end of these 2 lines and that will show you the source and destination IP addresses and port numbers.

As Rick says, this is strange because ISAKMP is usually udp port 500 to udp port 500.

Obvioulsy if you are going to log these entries please ensure your router has enough spare resources to do this.


insccisco Tue, 12/11/2007 - 00:22

oh, I like that. I will add the log keyword.

But what do you mean by enough resources? I have an 871 which is handling an office of 30+ users.

Can you please show me how to get this "logging" going?

Jon Marshall Tue, 12/11/2007 - 00:33


You should be okay as long as your router is not running "hot" at the moment.

At it's most basic just to turn on logging

router(config)# logging on

router(config)# logging trap informational

router(config)# logging buffered

This will log to the buffer on your 871. Because it is informational you will get more than just the access-list lines being logged and the buffer is circular in that it will keep getting overwritten, which is why people often set up a syslog server and send the logs to that.

You can get a free syslog server that you can run on one of your windows boxes from

If you do this you need one more line in your config

router(config)# logging host "ip address of syslog server"

As with debugging and logging you should keep an eye on the memory and CPU usage on your router.


insccisco Tue, 12/11/2007 - 09:20

what do you mean by "running 'hot' "? cpu usage high? sh proc high?

I am moving ahead with the logging. I do have a syslog server and I will make this 871 send its logs to it, although I want to deploy this syslog server at the other end of the tunnel. Meaning that I will create a LAN-to-LAN tunnel from this 871 to a remote office because that's where I have the syslog server. Will this be OK? will it be safe? or is it gonna put too much traffic on the line?

Jon Marshall Tue, 12/11/2007 - 10:17


I just mean that if your router is running over 50% in cpu usage you just need to be a little careful when you turn logging on.

Sending the traffic down the tunnel will put more overhead on the router because of the encryption overhead.

It's a suck it and see thing really.


insccisco Tue, 12/11/2007 - 10:22

I see. Well, this is my plan, this 871 uses 2 ISPs, and ISP2 is only for backup purposes, so the connection is always on idle. So I am planning to use it for the tunnel so I can keep it busy :) and not put overhead to the main line which is always busy anyways with all the traffic that the inside network puts in it

what do you think?

insccisco Mon, 12/10/2007 - 23:55

interesting. very interesting

Edison, do you know of a good link that touches this ACL topic in very deep details?

Also, any good readings about ACLs (books, articles, etc.) and about ISKMP?

Once again, I need to get stronger on these basics

thank you for the answers

Edison Ortiz Tue, 12/11/2007 - 07:47

For light reading, I usually hit the IOS configuration sections

For your query, I would suggest reading the security section from the link above.

I heard good things about this book as well:

insccisco Tue, 12/11/2007 - 09:16

thank you very much. They look good for reading. The book also sounds good enough that I will buy it, although it has lots of errors according to amazon reviewers, but overall seems like a good beginner's book

thank you again Edison

insccisco Tue, 12/11/2007 - 10:17

I take your word Edison. Making the purchase right now.

If you know of any other good ones, let me know



This Discussion