Extended ACL TCP port control

Unanswered Question
Dec 26th, 2005
User Badges:
  • Bronze, 100 points or more

Hi all,

I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.

I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?

Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dgahm Tue, 12/27/2005 - 16:16
User Badges:
  • Blue, 1500 points or more

The ACL will treat a handshake packet the same as any other TCP packet if you just use the port. You might have your well known port on the wrong side of the statement. That is the one of the most common places people run into trouble. The other is in vs out when applying the list.

In this example the source port is 80, so this would match http packets from server to client, including SYN ACKs, or ACKs.

access-list 101 permit tcp host eq 80 host

This would match http packets from the client to the server, including SYNs.

access-list 102 permit tcp host host eq 80

If applied to an ethernet interface on the server subnet you want ip access-group 101 in and ip access-group 102 out

If this doesn't help perhaps you could post your config. Using an explicit deny ip any any log as the last line in your list will help in troubleshooting. All denied packets will then be logged.

frenzeus Tue, 12/27/2005 - 18:26
User Badges:
  • Bronze, 100 points or more


Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. & are Mail servers. The objective is to control both .190 & .192. The config is as below:


interface Vlan2

description For Mail

ip address

ip access-group 2002 in


C6500#sh access-li 2002

Extended IP access list 2002

10 permit icmp any any (272 matches)

20 permit tcp host any syn (10467 matches)

30 permit tcp host any ack (781 matches)

40 permit tcp host eq smtp any

50 permit tcp host eq pop3 any

60 permit tcp host eq smtp any

70 permit tcp host eq pop3 any (4 matches)

80 permit ip host (19 matches)

When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.

Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well.

dgahm Tue, 12/27/2005 - 20:08
User Badges:
  • Blue, 1500 points or more

Could it be that .190 and .192 are initiating the SMTP connections to another mail server, and are therefore the client rather than the server?

Logging denies would let you see if this is the case.

Try adding:

permit tcp host any eq smtp

With your list you are allowing any TCP port.

frenzeus Tue, 12/27/2005 - 22:17
User Badges:
  • Bronze, 100 points or more

Thanks again for getting back so soon.

Those are the only 2 mail servers. But i guess i could try to configure a deny any any log to see what gets denied.

The weirdest part is once i've put in the SYN/ACK, it's working. Thanks.


This Discussion