Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Confirmation on basic ACL extended-list

Hi, just wanted to confirm:

If I need to let only two IP addresses (1.1.1.1 and 1.1.1.2) connect to server 192.168.206.5, I should bring line 40-70 to the top of the access-list below, correct?

!

ip access-list extended LETTWOPEOPLECONNECT

10 permit icmp any any

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

40 permit ip any host 1.1.1.1

50 permit ip any host 1.1.1.2

60 permit ip host 1.1.1.1 any

70 permit ip host 1.1.1.2 any

80 permit ip any any

!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: Confirmation on basic ACL extended-list

We don't know the direction of this ACL (in|out).

Knowing the direction will help saving some entries such as:

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

can be just one entry

20 deny ip host 192.168.206.5 any

or

30 deny ip any host 192.168.206.5

But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.

__

Edison.

3 REPLIES
Hall of Fame Super Blue

Re: Confirmation on basic ACL extended-list

Marlon

Yes you would need to move the entries above line 20. Actually you could just write 2 more specific entries ie.

11 permit ip host 1.1.1.1 host 192.168.206.5

12 permit ip host 1.1.1.2 host 192.168.206.5

You could make them even more specific by using only the relevant ports (TCP/UDP) that 1.1.1.1/2 need to connect to on server 192.168.206.5

I'm assuming this acl is applied inbound on the relevant interface.

Jon

Hall of Fame Super Bronze

Re: Confirmation on basic ACL extended-list

We don't know the direction of this ACL (in|out).

Knowing the direction will help saving some entries such as:

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

can be just one entry

20 deny ip host 192.168.206.5 any

or

30 deny ip any host 192.168.206.5

But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.

__

Edison.

New Member

Re: Confirmation on basic ACL extended-list

Thanks!!! You guys rule.

233
Views
0
Helpful
3
Replies
CreatePlease to create content