Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL_Difference

Hi Experts

what is the technical difference betwen:

access-list acl permit tcp host 10.10.10.10 eq 80 any ?

                               and

access-list acl permit tcp host 10.10.10.10 any eq 80 ?

it confuses a little bit

thanks

jamil

Everyone's tags (1)
3 REPLIES

Re: ACL_Difference

Hi Ibrahim,

Source IP 10.10.10.10 source port 80 -> any IP destination any port destination

access-list acl permit tcp host 10.10.10.10 eq 80 any ?

Source IP 10.10.10.10 source port any -> any IP destination port destination 80

access-list acl permit tcp host 10.10.10.10 any eq 80 ?

Dan

Cisco Employee

ACL_Difference

Jamil,

The first one indicates that the packet from 10.10.10.10 will come with a source port 80. Since TCP connection start with a random source port, the ACL mostlikely is not going to be hit. In case of a Router, where they are more packet wise than connections, it may work, but for an ASA it wont, because a connection needs to be established prior a response on well known port is received.

The second one is more common, it usually allows connection to well known ports for the first SYN packet (in case of TCP connections). That will allow a connection establishment on the ASA firewall, then the return packets will be allowed preventing you the need of configuring ACLs with source ports.

Mike

Mike
New Member

ACL_Difference

Thanks for ur reply guys

323
Views
10
Helpful
3
Replies