Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ACL'S IP, TCP

Hi there,

Please excuse me for this simple  question

I am confused about extended ACLS when we use  (permit|deny) for Protocol IP,TCP,UDP on an access list

I have 2 Examples below

1.  access-list 102 permit tcp  any  192.168.10.10

                           OR

      access-list 102 permit ip any 192.168.10.10

2.   access-list 103 deny tcp  any  192.168.20.10

                              OR

      access-list 103 deny ip any 192.168.20.10

Q1.  In example 1 i am permiting TCP and IP protocol from any to 192.168.10.10

       My Question what  is difference does it make if we either use TCP or IP in a permit acccess-list ie ( what is the meaning of using IP or TCP) and what impact        does it have?

Q2 Same goes for the access-list 103  what is difference in using TCP or IP in Deny statement and waht impact does it have?


Q3. If  iwant to block or permit traddic through access-list should i use IP or TCP in the Protocol field of access-list

My confusion is about IP,TCP and UDP

Please Help

I will appreciate any response

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ACL'S IP, TCP

Everything is included under IP.

TCP, UDP, ICMP for examples are all under IP.

Q1. If you configure IP, that would already include TCP, hence, you do not need to configure TCP anymore if you already configure IP.

Q2. "deny tcp" will only deny TCP protocol, eg: telnet, smtp, http, while "deny IP" will include everything (TCP, UDP, ICMP proctocol), eg: telnet, smtp, http, dns, icmp, snmp, etc.

Q3. If you would like to deny everything, you should use "IP" instead of "TCP" only.

Hope that helps.

Hall of Fame Super Gold

Re: ACL'S IP, TCP

I believe that the answer from Halijenn is good and thought that a small example might help to clarify.With this access list line:

access-list 102 permit tcp  any  192.168.10.10

if you attempt to telnet to 192.168.10.10 it would be permitted but if you attempt to tftp that address it would be denied. Telnet is TCP port 23 and so is permitted but tftp uses UDP and so is not permitted. If you change the line to:

access-list 102 permit ip  any  192.168.10.10

then both telnet and tftp would be permitted.

And the same concept works in your example with access-list 103. If the deny statement specifies TCP then only TCP traffic is affected (but not UDP or ICMP or other types of IP traffic).

HTH

Rick

2 REPLIES
Cisco Employee

Re: ACL'S IP, TCP

Everything is included under IP.

TCP, UDP, ICMP for examples are all under IP.

Q1. If you configure IP, that would already include TCP, hence, you do not need to configure TCP anymore if you already configure IP.

Q2. "deny tcp" will only deny TCP protocol, eg: telnet, smtp, http, while "deny IP" will include everything (TCP, UDP, ICMP proctocol), eg: telnet, smtp, http, dns, icmp, snmp, etc.

Q3. If you would like to deny everything, you should use "IP" instead of "TCP" only.

Hope that helps.

Hall of Fame Super Gold

Re: ACL'S IP, TCP

I believe that the answer from Halijenn is good and thought that a small example might help to clarify.With this access list line:

access-list 102 permit tcp  any  192.168.10.10

if you attempt to telnet to 192.168.10.10 it would be permitted but if you attempt to tftp that address it would be denied. Telnet is TCP port 23 and so is permitted but tftp uses UDP and so is not permitted. If you change the line to:

access-list 102 permit ip  any  192.168.10.10

then both telnet and tftp would be permitted.

And the same concept works in your example with access-list 103. If the deny statement specifies TCP then only TCP traffic is affected (but not UDP or ICMP or other types of IP traffic).

HTH

Rick

8089
Views
0
Helpful
2
Replies
CreatePlease to create content