access list

Answered Question
Jul 8th, 2008

i could just test this in the lab, but i want to run it by u guys...i created an extended acl with a deny as the first line, and permits there after...will that work?...

ip access-list extended test

deny tcp host 10.75.50.50 any www

permit icmp any any echo

permit icmp any any echo-reply

permit ip any any

thanks in advance

I have this problem too.
0 votes
Correct Answer by Mark Yeates about 8 years 4 months ago

You are correct. To make this ACL work it needs to be placed inbound because you are denying traffic coming into the router or switch. Here is a guide that will help you decide which direction to place the ACL.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#sourcedefine

Mark

Correct Answer by Mark Yeates about 8 years 4 months ago

Yes this will work. This will block 10.75.50.50 from using web access.

Mark

Correct Answer by Collin Clark about 8 years 4 months ago

It will block all TCP 80 traffic sourcing from host 10.75.50.50, but all other traffic will be allowed. Also you don't need the icmp permits, the ip any any covers icmp too (unless you're doing it for hit counts).

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Collin Clark Tue, 07/08/2008 - 06:50

It will block all TCP 80 traffic sourcing from host 10.75.50.50, but all other traffic will be allowed. Also you don't need the icmp permits, the ip any any covers icmp too (unless you're doing it for hit counts).

Hope that helps.

Correct Answer
Mark Yeates Tue, 07/08/2008 - 06:51

Yes this will work. This will block 10.75.50.50 from using web access.

Mark

hobbe Tue, 07/08/2008 - 06:56

Yes you can put a deny first.

in your case it will deny 10.75.50.50 access to port 80 on any server.

However I do not think you need the ICMP lines, unless you want logging on that specific instance. The IP any any covers that too.

if you want logging then just add log at the end of the line.

szajihsaniatan Tue, 07/08/2008 - 09:40

oh yeah, what always get me, is the "in" "out" statement on the interface...

i just tested this out and its the "in" statement to make this acl work...

Actions

This Discussion