Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Basic Access list Question

Hi

I've got a few access lists configured that allow certain services through, like http,dns etc.

My question is why do my routers and firewalls deny packets when I haven't put any explicit deny statements in my configs?

Thanks for your help in advance.

Dan

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: Basic Access list Question

Dan

I am not sure that I fully understand your question. But I believe that the answer to your question is that an access list has an implicit deny at the bottom of the access list. You do not need to configure it but effectively the last line in every access list is deny any any. So even if you do not code deny statements in the access list any packet that goes through the entire access list without matching a permit statement will match the implicit deny and be denied.

Some people do configure an explicit deny any any as the last line. I sometimes do it so that it is clear what is happening with the access list. Also having the statement configured means that when I do show access list there will be a counter showing how many times things fell through the list and were denied. Also as a troubleshooting aid sometimes I will code the last line as deny any any and add the log parameter so that there are log records for the packets that were denied.

HTH

Rick

1 REPLY
Hall of Fame Super Gold

Re: Basic Access list Question

Dan

I am not sure that I fully understand your question. But I believe that the answer to your question is that an access list has an implicit deny at the bottom of the access list. You do not need to configure it but effectively the last line in every access list is deny any any. So even if you do not code deny statements in the access list any packet that goes through the entire access list without matching a permit statement will match the implicit deny and be denied.

Some people do configure an explicit deny any any as the last line. I sometimes do it so that it is clear what is happening with the access list. Also having the statement configured means that when I do show access list there will be a counter showing how many times things fell through the list and were denied. Also as a troubleshooting aid sometimes I will code the last line as deny any any and add the log parameter so that there are log records for the packets that were denied.

HTH

Rick

241
Views
0
Helpful
1
Replies
CreatePlease to create content