Access list question

Unanswered Question
Feb 27th, 2008

Hi seniors,Preparing for CCNA. Cannot differentiate exactly what is the difference between two statements below..

1.deny 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80

2.deny 172.16.16.0 0.0.0.255 eq 80 172.17.17.252 0.0.0.0

In what situation second one will be used ? Thanks for guidence. Tahir

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jeremiah.peterson Wed, 02/27/2008 - 18:27

The first statement denies traffic from 172.16.16.0/24 to anywhere port 80

The second statement denies traffic from 172.16.16.0/24 port 80 to anywhere

The first statement would block all traffic to any website on port 80 from 172.16.16.0/24 because of the 0.0.0.0 wildcard mask which matches everything.

The second would block any return traffic from a website running on port 80 on network 172.16.16.0/24.

I am not sure what the intended application of those commands is because I would use the "any" keyword instead of an ip and a 0.0.0.0 wildmask.

However I could be missing something.

lamav Wed, 02/27/2008 - 19:38

Mr. Tahir:

deny 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80

denies http traffic to web server 172.17.17.252 from network 172.16.16.0

deny 172.16.16.0 0.0.0.255 eq 80 172.17.17.252 0.0.0.0

denies http traffic from network 172.16.16.0 to host 172.17.17.252

This second one doesn't really make sense. Typically, you will have web traffic coming from users on a network with a TCP port greater than 1024 and destined for the web server on TCP port 80 (http)...just like the first statement.

Also, with wildcard masks, 0.0.0.0 means a perfect match must be met. You can substitute that with the "host" keyword.

Example:

deny 172.16.16.0 0.0.0.255 host 172.17.17.252 eq 80

Tahir, there is really no mystery to access lists. There is a certain format that you must know so that you can understand what they are doing.

You will be best served by reading a good CCNA book and doing a lot of practice question. I would recommend a CCNA Study Guide by Richard Deal. His is excellent.

Good luck.

If I have helped you, please rate my post.

Thanks

Victor

Richard Burts Wed, 02/27/2008 - 20:13

Sohail

I like the explanation that Victor gives. But let me supplement it by explaining from a slightly different perspective:

the essential difference between the two statements is that in the first the port 80 (HTTP or WWW) is the source port and in the second statement port 80 is the destination port.

This would correspond to the direction of the traffic. The first statement where port 80 is the source would represent traffic from the web server back to the station that originated it. The second statement where port 80 is the destination represents traffic from some source to the web server.

HTH

Rick

lamav Thu, 02/28/2008 - 05:33

Rick:

"the essential difference between the two statements is that in the first the port 80 (HTTP or WWW) is the source port and in the second statement port 80 is the destination port."

You got it backwards.

In the first statement:

deny 172.16.16.0 0.0.0.255 172.17.17.252 eq 80

Port 80 is the destination port, not source. And its the reverse for the second statement.

The format for a TCP extended access list is:

access-list access-list-number [dynamic dynamic-name [timeout minutes]]

{deny | permit} tcp source source-wildcard [operator [port]]

destination destination-wildcard [operator [port]] [established]

[precedence precedence] [tos tos] [log | log-input]

[time-range time-range-name]

So, the access list...

access list 101 extended deny tcp 172.16.16.0 0.0.0.255 gt 1024 host 172.17.17.252 eq 80

...denies TCP traffic sourced from network 172.16.16.0, whose users have source ports greater than 1024 (this is done automatically by TCP and is expected, of course, since TCP ports less than 1024 are for "known" applications [www, smtp, etc] and reserved) and whose destination traffic is headed for a web server whose http application uses port 80.

Richard Burts Thu, 02/28/2008 - 05:48

Victor is correct. I did have it backward. I was focused on the concept of source port and destination port and got the detail backwards. My apologies.

HTH

Rick

lamav Thu, 02/28/2008 - 05:54

No biggie, Rick. Coming from you, I'm sure its a result of insufficient coffee this morning. Have a cup on me. :-) I just wanted to point it out so that Tahir doesnt get confused.

Richard Burts Thu, 02/28/2008 - 06:04

Victor

I appreciate that it is no biggie.

It is one of the really good things about the forum that we have many sharp people reading the posts and responses and able to point out when something is said that is potentially misleading. Thanks to you for catching my goof. (drinking that cup of coffee as I type)

HTH

Rick

tahir1234 Thu, 02/28/2008 - 08:48

Thanks seriors, You all really cleared my concept for ACL.

Regards,

Joseph W. Doherty Thu, 02/28/2008 - 10:52

As a sidebar, (if I remember correctly) Cisco ACLs sometimes can use, or will use, symbolics for some of the well known ports. So you might see, or might be able to enter, for example, WWW instead of 80 for the port value.

Actions

This Discussion