Unanswered Question
May 4th, 2012

Hi Experts

what is the technical difference betwen:

access-list acl permit tcp host eq 80 any ?


access-list acl permit tcp host any eq 80 ?

it confuses a little bit



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Maykol Rojas Fri, 05/04/2012 - 10:52


The first one indicates that the packet from will come with a source port 80. Since TCP connection start with a random source port, the ACL mostlikely is not going to be hit. In case of a Router, where they are more packet wise than connections, it may work, but for an ASA it wont, because a connection needs to be established prior a response on well known port is received.

The second one is more common, it usually allows connection to well known ports for the first SYN packet (in case of TCP connections). That will allow a connection establishment on the ASA firewall, then the return packets will be allowed preventing you the need of configuring ACLs with source ports.


Dan-Ciprian Cicioiu Fri, 05/04/2012 - 10:49

Hi Ibrahim,

Source IP source port 80 -> any IP destination any port destination

access-list acl permit tcp host eq 80 any ?

Source IP source port any -> any IP destination port destination 80

access-list acl permit tcp host any eq 80 ?



Login or Register to take actions

This Discussion

Posted May 4, 2012 at 10:43 AM
Replies:3 Overall Rating:5
Views:320 Votes:0
Tags: asa

Related Content