Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

permit ip?

Hi,

do i always have to use somewhere permit ip statement?

i want to restrict access to some machine only to http, how can i do this without explicitly denying?

thanks

3 REPLIES
Hall of Fame Super Gold

Re: permit ip?

Joaquim

I believe the answer to your first question is that yes any access list which is used for filtering traffic must include some permit statements. The default action in the access list (what happens if something gets to the bottom of the list without being a match) is to deny. So if the access list does not have some permits then everything will be denied.

I believe that there are two approaches in creating access lists which are reflected in how the lists are built. You can specifically deny what you do not want and then permit everything else. Or you can permit what you specifically want and deny everything else.

To answer your second question, if you want to allow access to http without explicitly denying then you can use the second model of access list and explicitly permit what you want and then let the implicit deny any at the end of the access list deny everything else.

One word of caution is that you should think carefully about what you will need to permit. It is easy to understand that you need a permit for http. But you should also think about whether you need permits for things like DNS, for ICMP, and for a number of other services.

HTH

Rick

Community Member

Re: permit ip?

hi Rick,

thanks for you reply, I'm looking for ip(0) needs.

i want to allow http,https,pop3,smtp,dns and to deny everything else, in this case i still need, besides this tcp and udp ports to allow ip(o) to pass trough don't i?thanks

Community Member

Re: permit ip?

Here is a sample.

access-l abc permit tcp eq

For eg.

access-l abc permit tcp host 10.10.10.1 any eq 80

access-l abc permit tcp host 10.10.10.1 any eq 443

access-l abc permit udp host 10.10.10.1 any eq 53

Here host 10.10.10.1 can access anybody on port 80 (http) , udp 53 (dns) and 443 (ssl) .

In case you want to permit rest of the users, please put a permit ip any any after the third line.

Let me know for more queries.

Regards,

Sagar

113
Views
8
Helpful
3
Replies
CreatePlease to create content