Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
0
Helpful
2
Replies

Using an Access Control List

stuart62871
Level 1
Level 1

‎05-26-2003 05:47 PM - edited ‎03-09-2019 03:25 AM

I'm trying to correctly configure ACL's to block a few TCP, and UDP ports. I not sure if I quite understand if I create a permit ACL will that emplicitly deny everything else? Say I want to block Telnet traffic I'll create an ACl that reads,

<>

access-group 101 in

int e 0

access-list 101 deny TCP any any eq 23

access-list 101 permit IP any any

<>

Should I also create an ACl for out traffic? Am I negating the first statment with the permit IP any any ?

I've gone over the text book several times and it just isn't usoaking in. Any help would be much apprieciated.

Thanks,

Stuart Trammell

Labels:
0 Helpful
2 Replies 2

ywadhavk
Cisco Employee
Cisco Employee

‎05-26-2003 07:26 PM

What you have configured is correct. The acl commands will go under the glogal config and the access-group applies under the interface through which the concerned traffic flows in.

!

access-list 101 deny TCP any any eq 23

access-list 101 permit IP any any

!

int e0

access-group 101 in

!

Every ACL has an implicit deny all. If you block Telnet in the IN direction, it does not mean that it is blocked in the OUT direction.

Maybe the below urls will help you more.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Thanks,

yatin

0 Helpful

mhoda
Level 5
Level 5

‎05-26-2003 09:19 PM

Hi Stuart,

Answers to your questions are in line.

As mentioned by the previous post you need to create ACL under global config and apply the acl under interface. In addition to the previous post, here are the unanswered answers:

>I create a permit ACL will that emplicitly deny everything else?

Yes, it will. There is an implicit deny on every acl.

>Should I also create an ACl for out traffic?

It depends on your requirement and which interface you are referring to. Is your e 0 interface is facing outside towards internet? If thats the case, your ACL should be applied inbound for the connections initiated from outside. Outbound on e0 would make sense if you want to control like who can access what from inside to outside as well, which a lot of people don't do. General practice is to leave it wide open..

>Am I negating the first statment with the permit IP any any ?

Acl would be read in sequentially order. So, you are not negating the first stmt with the last one. When first criteria is true, the packets would be denied and it will not even check the 2nd line. 2nd line would be checked only when 1st line is not matched.

I hope its clear now. Thanks,

Mynul

0 Helpful
Customers Also Viewed These Support Documents