cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
551
Views
0
Helpful
7
Replies

access list

mrSS
Level 1
Level 1

i could just test this in the lab, but i want to run it by u guys...i created an extended acl with a deny as the first line, and permits there after...will that work?...

ip access-list extended test

deny tcp host 10.75.50.50 any www

permit icmp any any echo

permit icmp any any echo-reply

permit ip any any

thanks in advance

3 Accepted Solutions

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

It will block all TCP 80 traffic sourcing from host 10.75.50.50, but all other traffic will be allowed. Also you don't need the icmp permits, the ip any any covers icmp too (unless you're doing it for hit counts).

Hope that helps.

View solution in original post

Mark Yeates
Level 7
Level 7

Yes this will work. This will block 10.75.50.50 from using web access.

Mark

View solution in original post

You are correct. To make this ACL work it needs to be placed inbound because you are denying traffic coming into the router or switch. Here is a guide that will help you decide which direction to place the ACL.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#sourcedefine

Mark

View solution in original post

7 Replies 7

Collin Clark
VIP Alumni
VIP Alumni

It will block all TCP 80 traffic sourcing from host 10.75.50.50, but all other traffic will be allowed. Also you don't need the icmp permits, the ip any any covers icmp too (unless you're doing it for hit counts).

Hope that helps.

sweet...just want i tought...thanks

Mark Yeates
Level 7
Level 7

Yes this will work. This will block 10.75.50.50 from using web access.

Mark

hobbe
Level 7
Level 7

Yes you can put a deny first.

in your case it will deny 10.75.50.50 access to port 80 on any server.

However I do not think you need the ICMP lines, unless you want logging on that specific instance. The IP any any covers that too.

if you want logging then just add log at the end of the line.

oh yeah, what always get me, is the "in" "out" statement on the interface...

i just tested this out and its the "in" statement to make this acl work...

You are correct. To make this ACL work it needs to be placed inbound because you are denying traffic coming into the router or switch. Here is a guide that will help you decide which direction to place the ACL.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#sourcedefine

Mark

thanks, that always confuses me...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco