Confirmation on basic ACL extended-list

Answered Question
Sep 2nd, 2009
User Badges:

Hi, just wanted to confirm:

If I need to let only two IP addresses (1.1.1.1 and 1.1.1.2) connect to server 192.168.206.5, I should bring line 40-70 to the top of the access-list below, correct?

!

ip access-list extended LETTWOPEOPLECONNECT

10 permit icmp any any

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

40 permit ip any host 1.1.1.1

50 permit ip any host 1.1.1.2

60 permit ip host 1.1.1.1 any

70 permit ip host 1.1.1.2 any

80 permit ip any any

!


Correct Answer by Edison Ortiz about 7 years 10 months ago

We don't know the direction of this ACL (in|out).


Knowing the direction will help saving some entries such as:


20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5


can be just one entry


20 deny ip host 192.168.206.5 any


or


30 deny ip any host 192.168.206.5



But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 09/02/2009 - 15:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Marlon


Yes you would need to move the entries above line 20. Actually you could just write 2 more specific entries ie.


11 permit ip host 1.1.1.1 host 192.168.206.5

12 permit ip host 1.1.1.2 host 192.168.206.5


You could make them even more specific by using only the relevant ports (TCP/UDP) that 1.1.1.1/2 need to connect to on server 192.168.206.5


I'm assuming this acl is applied inbound on the relevant interface.


Jon

Correct Answer
Edison Ortiz Wed, 09/02/2009 - 15:19
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

We don't know the direction of this ACL (in|out).


Knowing the direction will help saving some entries such as:


20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5


can be just one entry


20 deny ip host 192.168.206.5 any


or


30 deny ip any host 192.168.206.5



But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.


__


Edison.

Actions

This Discussion