Options

question regarding extended acl

whoflungdung88whoflungdung88 Member Posts: 15 ■□□□□□□□□□
in CCNA & CCENT
Can somebody give me some input on extended acl's? Ok let's say I am starting out my ext acl list.
Example=

access-list 110 permit tcp any 172.22.0.0 0.0.255.255
access-list 110 permit tcp any host 172.22.15.83 eq 25
access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
access-list 110 permit udp any host 172.22.15.85 eq 53



From what I have been reading is that an acl can only be on one interface, one direction, and use one protocol. This acl has me confused, simply cuz another source says that I can apply an acl with obviously more than one protocol blocked. Please help.
Oh yeah, I remember that at the end of a standard acl, you have to always have the end of that acl with a permit any any/ or deny any any statement.
Does an extended acl automatically deny all traffic without me typing into the acl list? I have noticed that I can't type in a "deny any any/ or permit any any. Thanks for your input :)
uummmmm yeah
· Share on FacebookShare on Twitter

Comments

  • Options
    whoflungdung88whoflungdung88 Member Posts: 15 ■□□□□□□□□□
    Excuse me, I meant permit instead of deny when refering to the first paragragh of my entry. But all in all I would like to know the results if the statement was as such

    access-list 110 deny tcp any 172.22.0.0 0.0.255.255
    access-list 110 deny tcp any host 172.22.15.83 eq 25
    access-list 110 deny tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
    access-list 110 deny udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
    access-list 110 deny udp any host 172.22.15.85 eq 53
    uummmmm yeah
    · Share on FacebookShare on Twitter
  • Options
    NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    HAHA!! icon_lol.gif....U FLUNG DUNG!

    Nah, but i'm pretty sure that if you don't write an explicit "permit ip any any"
    everything will be denied that isn't in the aforementioned rules from the ACL.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
    · Share on FacebookShare on Twitter
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    Netstudent wrote:
    HAHA!! icon_lol.gif....U FLUNG DUNG!

    Nah, but i'm pretty sure that if you don't write an explicit "permit ip any any"
    everything will be denied that isn't in the aforementioned rules from the ACL.

    Correct, there is an implicit deny at the end of every ACL, DO NOT forget this.

    Cheers,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
    · Share on FacebookShare on Twitter
  • Options
    whoflungdung88whoflungdung88 Member Posts: 15 ■□□□□□□□□□
    thnx,
    now what about mulitiple protocols either being denied or permited in the acl I was writing about? Can you define an acle this way, with the whole "one interface, one direction, one protocol rule" in mind?
    uummmmm yeah
    · Share on FacebookShare on Twitter
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    whoflungdung88 wrote:
    thnx,
    now what about mulitiple protocols either being denied or permited in the acl I was writing about? Can you define an acle this way, with the whole "one interface, one direction, one protocol rule" in mind?

    ACL's can be applied on multiple interfaces, this should be obvious from how you create them :). Remember that you can only apply ONE ACL in each direction of an interface. One protocol rule? sorry lost by this, do you mean can you only mention a service port once in the ACL? If this is the case, of course not, there are several reasons why you want full control over your services on the network, your IT admin subnet might need telent services for example while all other network users can take a running jump.

    And you must not forget the above regarding implicit deny, its essential when working on ACL's.

    Cheers,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
    · Share on FacebookShare on Twitter
  • Options
    widjerdwidjerd Member Posts: 17 ■□□□□□□□□□
    when it refers to protocols it means IP, IPX and appletalk - not port numbers like ftp, http, https, telnet etc.
    I am not sure the acl statements for these but i guess instead of ip addresses you would stick appletalk/ipx addresses in place
    · Share on FacebookShare on Twitter
  • Options
    iprouteiproute Member Posts: 269
    whoflungdung88 wrote:
    access-list 110 deny tcp any 172.22.0.0 0.0.255.255
    access-list 110 deny tcp any host 172.22.15.83 eq 25
    access-list 110 deny tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
    access-list 110 deny udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
    access-list 110 deny udp any host 172.22.15.85 eq 53
    whoflungdung88 wrote:
    thnx,
    now what about mulitiple protocols either being denied or permited in the acl I was writing about? Can you define an acle this way, with the whole "one interface, one direction, one protocol rule" in mind?
    I don't remember the exact verbiage and I don't have my CCNA books with me, but I think it's more like: one ACL per direction on each interface. I believe it's OK to specify more than one protocol in an ACL.

    Looking at your ACL statements, doesn't your first statement cover the host identified in the second statement? I can see that you're blocking port 25 on 172.22.15.83 in the second statement, but the first statement effectively blocks all TCP from any host to any host between 172.22.0.0 - 172.22.255.255, including port 25 on 172.22.15.83; so it seems redundant.

    As others mentioned, don't forget an "access-list 110 permit ip any any" to negate the implicit deny.
    CCNP Progress
    ROUTE [X] :: SWITCH [X] :: TSHOOT [X]
    · Share on FacebookShare on Twitter
  • Options
    iprouteiproute Member Posts: 269
    widjerd wrote:
    when it refers to protocols it means IP, IPX and appletalk - not port numbers like ftp, http, https, telnet etc.
    I am not sure the acl statements for these but i guess instead of ip addresses you would stick appletalk/ipx addresses in place
    Yes, it means layer 3 protocols. Things such as UDP/TCP (layer 4) and application specific port numbers (layers 6 - 7) aren't included in that logic.
    CCNP Progress
    ROUTE [X] :: SWITCH [X] :: TSHOOT [X]
    · Share on FacebookShare on Twitter
  • Options
    Mrock4Mrock4 Banned Posts: 2,359 ■■■■■■■■□□
    I believe you're looking for: One access list per direction per layer 3 protocol on each interface. You really don't have to worry about running into this issue on the CCNA..the best part to remember is one access list per direction..but keep the per layer 3 protocol part in mind too.
    · Share on FacebookShare on Twitter
  • Options
    whoflungdung88whoflungdung88 Member Posts: 15 ■□□□□□□□□□
    yeah, the last statement really didn't set it in stone. I am simply trying to point out, that in acl 101, can you either permit or deny.... telnet/23 smtp/25 ssh/22 https/443 etc, all together in this acl. Wether or not it block inbound or outbound traffic. Or is the book simply refering to as somebody was talking about, on protocol being ipx, ip, appletalk. Thanks
    uummmmm yeah
    · Share on FacebookShare on Twitter
  • Options
    Mrock4Mrock4 Banned Posts: 2,359 ■■■■■■■■□□
    I'm sorry if I'm misinterpreting it but, if what you're saying is..one ACL..say, access-list 101..can you deny HTTP from one user (80)....SMTP (25) from another host....and telnet from a certain subnet? If that's what you're asking..then yes, you can.
    · Share on FacebookShare on Twitter
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    whoflungdung88 wrote:
    Can somebody give me some input on extended acl's? Ok let's say I am starting out my ext acl list.
    Example=

    access-list 110 permit tcp any 172.22.0.0 0.0.255.255
    access-list 110 permit tcp any host 172.22.15.83 eq 25
    access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
    access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
    access-list 110 permit udp any host 172.22.15.85 eq 53

    Maybe off-topic, but aren't your 2nd and 3rd lines redundent, since in your first line you already permitted TCP from anyone to your entire class B range of 172.22.0.0?
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    whoflungdung88whoflungdung88 Member Posts: 15 ■□□□□□□□□□
    Mrock4 Posted: Fri Jun 15, 2007 3:20 pm Post subject:

    I'm sorry if I'm misinterpreting it but, if what you're saying is..one ACL..say, access-list 101..can you deny HTTP from one user (80)....SMTP (25) from another host....and telnet from a certain subnet? If that's what you're asking..then yes, you can.

    Yeah, that's pretty much where I was getting at. I realized, that it was redundant. But honestly, I just copypasta'd that from a site, i was reading up on regarding usage for acl's. Thanks again. tootles!
    uummmmm yeah
    · Share on FacebookShare on Twitter
Sign In or Register to comment.