Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
8
Helpful
3
Replies

permit ip?

joaquimlopes
Level 1
Level 1

‎10-25-2005 08:53 AM - edited ‎03-09-2019 12:49 PM

Hi,

do i always have to use somewhere permit ip statement?

i want to restrict access to some machine only to http, how can i do this without explicitly denying?

thanks

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎10-25-2005 11:47 AM

Joaquim

I believe the answer to your first question is that yes any access list which is used for filtering traffic must include some permit statements. The default action in the access list (what happens if something gets to the bottom of the list without being a match) is to deny. So if the access list does not have some permits then everything will be denied.

I believe that there are two approaches in creating access lists which are reflected in how the lists are built. You can specifically deny what you do not want and then permit everything else. Or you can permit what you specifically want and deny everything else.

To answer your second question, if you want to allow access to http without explicitly denying then you can use the second model of access list and explicitly permit what you want and then let the implicit deny any at the end of the access list deny everything else.

One word of caution is that you should think carefully about what you will need to permit. It is easy to understand that you need a permit for http. But you should also think about whether you need permits for things like DNS, for ICMP, and for a number of other services.

HTH

Rick

HTH

Rick

joaquimlopes
Level 1
Level 1
In response to Richard Burts

‎10-25-2005 01:43 PM

hi Rick,

thanks for you reply, I'm looking for ip(0) needs.

i want to allow http,https,pop3,smtp,dns and to deny everything else, in this case i still need, besides this tcp and udp ports to allow ip(o) to pass trough don't i?thanks

0 Helpful

sagdas
Level 1
Level 1
In response to joaquimlopes

‎10-26-2005 06:02 AM

Here is a sample.

access-l abc permit tcp eq

For eg.

access-l abc permit tcp host 10.10.10.1 any eq 80

access-l abc permit tcp host 10.10.10.1 any eq 443

access-l abc permit udp host 10.10.10.1 any eq 53

Here host 10.10.10.1 can access anybody on port 80 (http) , udp 53 (dns) and 443 (ssl) .

In case you want to permit rest of the users, please put a permit ip any any after the third line.

Let me know for more queries.

Regards,

Sagar

Customers Also Viewed These Support Documents