Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using an Access Control List

I'm trying to correctly configure ACL's to block a few TCP, and UDP ports. I not sure if I quite understand if I create a permit ACL will that emplicitly deny everything else? Say I want to block Telnet traffic I'll create an ACl that reads,

<>

access-group 101 in

int e 0

access-list 101 deny TCP any any eq 23

access-list 101 permit IP any any

<>

Should I also create an ACl for out traffic? Am I negating the first statment with the permit IP any any ?

I've gone over the text book several times and it just isn't usoaking in. Any help would be much apprieciated.

Thanks,

Stuart Trammell

2 REPLIES
Cisco Employee

Re: Using an Access Control List

What you have configured is correct. The acl commands will go under the glogal config and the access-group applies under the interface through which the concerned traffic flows in.

!

access-list 101 deny TCP any any eq 23

access-list 101 permit IP any any

!

int e0

access-group 101 in

!

Every ACL has an implicit deny all. If you block Telnet in the IN direction, it does not mean that it is blocked in the OUT direction.

Maybe the below urls will help you more.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Thanks,

yatin

Silver

Re: Using an Access Control List

Hi Stuart,

Answers to your questions are in line.

As mentioned by the previous post you need to create ACL under global config and apply the acl under interface. In addition to the previous post, here are the unanswered answers:

>I create a permit ACL will that emplicitly deny everything else?

Yes, it will. There is an implicit deny on every acl.

>Should I also create an ACl for out traffic?

It depends on your requirement and which interface you are referring to. Is your e 0 interface is facing outside towards internet? If thats the case, your ACL should be applied inbound for the connections initiated from outside. Outbound on e0 would make sense if you want to control like who can access what from inside to outside as well, which a lot of people don't do. General practice is to leave it wide open..

>Am I negating the first statment with the permit IP any any ?

Acl would be read in sequentially order. So, you are not negating the first stmt with the last one. When first criteria is true, the packets would be denied and it will not even check the 2nd line. 2nd line would be checked only when 1st line is not matched.

I hope its clear now. Thanks,

Mynul

98
Views
0
Helpful
2
Replies
CreatePlease login to create content