05-26-2003 05:47 PM - edited 03-09-2019 03:25 AM
I'm trying to correctly configure ACL's to block a few TCP, and UDP ports. I not sure if I quite understand if I create a permit ACL will that emplicitly deny everything else? Say I want to block Telnet traffic I'll create an ACl that reads,
<>
access-group 101 in
int e 0
access-list 101 deny TCP any any eq 23
access-list 101 permit IP any any
<>
Should I also create an ACl for out traffic? Am I negating the first statment with the permit IP any any ?
I've gone over the text book several times and it just isn't usoaking in. Any help would be much apprieciated.
Thanks,
Stuart Trammell
05-26-2003 07:26 PM
What you have configured is correct. The acl commands will go under the glogal config and the access-group applies under the interface through which the concerned traffic flows in.
!
access-list 101 deny TCP any any eq 23
access-list 101 permit IP any any
!
int e0
access-group 101 in
!
Every ACL has an implicit deny all. If you block Telnet in the IN direction, it does not mean that it is blocked in the OUT direction.
Maybe the below urls will help you more.
http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Thanks,
yatin
05-26-2003 09:19 PM
Hi Stuart,
Answers to your questions are in line.
As mentioned by the previous post you need to create ACL under global config and apply the acl under interface. In addition to the previous post, here are the unanswered answers:
>I create a permit ACL will that emplicitly deny everything else?
Yes, it will. There is an implicit deny on every acl.
>Should I also create an ACl for out traffic?
It depends on your requirement and which interface you are referring to. Is your e 0 interface is facing outside towards internet? If thats the case, your ACL should be applied inbound for the connections initiated from outside. Outbound on e0 would make sense if you want to control like who can access what from inside to outside as well, which a lot of people don't do. General practice is to leave it wide open..
>Am I negating the first statment with the permit IP any any ?
Acl would be read in sequentially order. So, you are not negating the first stmt with the last one. When first criteria is true, the packets would be denied and it will not even check the 2nd line. 2nd line would be checked only when 1st line is not matched.
I hope its clear now. Thanks,
Mynul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide