[139867] in North American Network Operators' Group
Re: Stupid Cisco ACL question
daemon@ATHENA.MIT.EDU (Dorn Hetzel)
Thu Apr 21 15:17:39 2011
In-Reply-To: <85917f6e53edcd7cb06c4f2b18770dbc.squirrel@ssl.pil.net>
Date: Thu, 21 Apr 2011 15:17:31 -0400
From: Dorn Hetzel <dorn@hetzel.org>
To: up@3.am
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Apr 21, 2011 at 3:13 PM, <up@3.am> wrote:
> Ok, I've done a lot of Cisco standard and extended ACLs, but I do not
> understand why the following does not work the way I think it should.
> Near the end of this extended named ACL, I have the following:
>
> permit tcp any eq 443 any
>
Don't you want:
permit tcp any any eq 443
Since you want the incoming traffic to have 443 as the destination port, not
the source?
> permit tcp any eq 80 any
> deny ip any host 2.2.3.4
> permit ip any any
>
> This is applied to an inbound interface(s). We want anybody outside to be
> able to reach ports 80 and 443 of any host on our network, no matter what,
> then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
> However, as soon as I apply this rule to the interface, ports 80 and 443
> of that host become unreachable. A telnet to 2.2.3.4 443 gets "Connection
> refused" until I tear out the deny ACL above. I even tried adding udp for
> both ports, to no avail.
>
> I had always thought that these ACLs were processed in order, so that the
> explicit permit statement, though limited to a specific protocol but for
> all hosts, gets considered before the explicit deny statement for all IP
> to a particular host. What did I forget to consider?
>
> TIA,
>
>
