Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list

I am adding a new network 10.102.251.0/25 and for this network i have allow only http & https traffic.

I have one access-list 122 mapped to serial port through which internet traffic flows.

So how can i modify existing access-list as it is allowing all the traffic except some deny statements.

access-list 122 deny tcp any any eq 1025

access-list 122 deny tcp any any eq 2967

access-list 122 permit ip any any

Or should i create a new one say 123 access-list and map it to the serial interface.

Like

access-list 123 permit tcp 10.102.251.0 0.0.0.127 any eq 80

access-list 123 permit tcp 10.102.251.0 0.0.0.127 any eq 443

7 REPLIES
New Member

Re: Access-list

Hey buddy.

I think it is easier to create a new ACL and map it to the interface, no doubt. The example is ok and it will work, once you need to permit just these two TCP ports and deny all other traffic.

Regards.

New Member

Re: Access-list

But when the internet traffic leaves the serial interface how will router decide which access-list to check.

does access-list have some priority.

Hall of Fame Super Blue

Re: Access-list

Hi

You can apply one access-list per interface per direction. So you cannot apply 2 separate access-lists to the same interface in the same direction.

You need to combine your 2 access-lists into 1 and then apply that.

Jon

New Member

Re: Access-list

This is my exisiting access-list.

access-list 122 deny tcp any any eq 1025

access-list 122 deny tcp any any eq 2967

access-list 122 permit ip any any

I want to permit http traffic for this network 10.102.251.0/25.

So how can i combine them.

Hall of Fame Super Blue

Re: Access-list

Hi

Which direction is access-list 122 applied in and which direction do you want to allow http to/from ?

Your access-list 122 has a permit ip any any which covers all tcp/udp/icmp so you shouldn't need to explicitly permit tcp/http.

Jon

New Member

Re: Access-list

Direction is out and i also want to apply out for the new network.

If i add network 10.102.251.0 before the last statement.it will not work, what i am guessing.

Hall of Fame Super Blue

Re: Access-list

Hi

Your last line of access-list 122 says

permit ip any any

Therefore you do not need to add the lines for 10.102.251.0 as the ip any any covers this traffic.

Jon

107
Views
0
Helpful
7
Replies
CreatePlease to create content