Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

access-list on internet edge router

I seem to have a problem with a router with a denys working with an permit ip any any next to last line in access-list.

access-list 100 deny tcp any eq 445 any

access-list 100 deny tcp any eq 137 any

access-list 100 deny tcp any eq 135 any

access-list 100 deny tcp any eq 1433 any

access-list 100 deny tcp any eq 139 any

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 224.0.0.0 15.255.255.255 any

access-list 100 permit ip any any

access-list 100 deny icmp any any echo-reply

this is applied with access-group 100 in under the serial interface.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: access-list on internet edge router

Hello,

the access list stops checking when a match is found, which in your case is the 'permit ip any any' line. In order to deny icmp echo replies, configure the list as following:

access-list 100 deny tcp any eq 445 any

access-list 100 deny tcp any eq 137 any

access-list 100 deny tcp any eq 135 any

access-list 100 deny tcp any eq 1433 any

access-list 100 deny tcp any eq 139 any

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 224.0.0.0 15.255.255.255 any

access-list 100 deny icmp any any echo-reply

access-list 100 permit ip any any

HTH,

GP

1 REPLY
VIP Purple

Re: access-list on internet edge router

Hello,

the access list stops checking when a match is found, which in your case is the 'permit ip any any' line. In order to deny icmp echo replies, configure the list as following:

access-list 100 deny tcp any eq 445 any

access-list 100 deny tcp any eq 137 any

access-list 100 deny tcp any eq 135 any

access-list 100 deny tcp any eq 1433 any

access-list 100 deny tcp any eq 139 any

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 224.0.0.0 15.255.255.255 any

access-list 100 deny icmp any any echo-reply

access-list 100 permit ip any any

HTH,

GP

296
Views
0
Helpful
1
Replies
CreatePlease to create content