question regarding extended acl

Can somebody give me some input on extended acl's? Ok let's say I am starting out my ext acl list.
Example=

access-list 110 permit tcp any 172.22.0.0 0.0.255.255
access-list 110 permit tcp any host 172.22.15.83 eq 25
access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
access-list 110 permit udp any host 172.22.15.85 eq 53

From what I have been reading is that an acl can only be on one interface, one direction, and use one protocol. This acl has me confused, simply cuz another source says that I can apply an acl with obviously more than one protocol blocked. Please help.
Oh yeah, I remember that at the end of a standard acl, you have to always have the end of that acl with a permit any any/ or deny any any statement.
Does an extended acl automatically deny all traffic without me typing into the acl list? I have noticed that I can't type in a "deny any any/ or permit any any. Thanks for your input

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

whoflungdung88

Excuse me, I meant permit instead of deny when refering to the first paragragh of my entry. But all in all I would like to know the results if the statement was as such

access-list 110 deny tcp any 172.22.0.0 0.0.255.255
access-list 110 deny tcp any host 172.22.15.83 eq 25
access-list 110 deny tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
access-list 110 deny udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
access-list 110 deny udp any host 172.22.15.85 eq 53

Netstudent

HAHA!!

....U FLUNG DUNG!

Nah, but i'm pretty sure that if you don't write an explicit "permit ip any any"
everything will be denied that isn't in the aforementioned rules from the ACL.

Pash

Netstudent wrote:

HAHA!! ....U FLUNG DUNG!

Nah, but i'm pretty sure that if you don't write an explicit "permit ip any any"
everything will be denied that isn't in the aforementioned rules from the ACL.

Correct, there is an implicit deny at the end of every ACL, DO NOT forget this.

Cheers,

whoflungdung88

thnx,
now what about mulitiple protocols either being denied or permited in the acl I was writing about? Can you define an acle this way, with the whole "one interface, one direction, one protocol rule" in mind?

Pash

whoflungdung88 wrote:

thnx,
now what about mulitiple protocols either being denied or permited in the acl I was writing about? Can you define an acle this way, with the whole "one interface, one direction, one protocol rule" in mind?

ACL's can be applied on multiple interfaces, this should be obvious from how you create them

. Remember that you can only apply ONE ACL in each direction of an interface. One protocol rule? sorry lost by this, do you mean can you only mention a service port once in the ACL? If this is the case, of course not, there are several reasons why you want full control over your services on the network, your IT admin subnet might need telent services for example while all other network users can take a running jump.

And you must not forget the above regarding implicit deny, its essential when working on ACL's.

Cheers,

widjerd

when it refers to protocols it means IP, IPX and appletalk - not port numbers like ftp, http, https, telnet etc.
I am not sure the acl statements for these but i guess instead of ip addresses you would stick appletalk/ipx addresses in place

iproute

whoflungdung88 wrote:

access-list 110 deny tcp any 172.22.0.0 0.0.255.255
access-list 110 deny tcp any host 172.22.15.83 eq 25
access-list 110 deny tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
access-list 110 deny udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
access-list 110 deny udp any host 172.22.15.85 eq 53

whoflungdung88 wrote:

thnx,
now what about mulitiple protocols either being denied or permited in the acl I was writing about? Can you define an acle this way, with the whole "one interface, one direction, one protocol rule" in mind?

I don't remember the exact verbiage and I don't have my CCNA books with me, but I think it's more like: one ACL per direction on each interface. I believe it's OK to specify more than one protocol in an ACL.

Looking at your ACL statements, doesn't your first statement cover the host identified in the second statement? I can see that you're blocking port 25 on 172.22.15.83 in the second statement, but the first statement effectively blocks all TCP from any host to any host between 172.22.0.0 - 172.22.255.255, including port 25 on 172.22.15.83; so it seems redundant.

As others mentioned, don't forget an "access-list 110 permit ip any any" to negate the implicit deny.

iproute

widjerd wrote:

when it refers to protocols it means IP, IPX and appletalk - not port numbers like ftp, http, https, telnet etc.
I am not sure the acl statements for these but i guess instead of ip addresses you would stick appletalk/ipx addresses in place

Yes, it means layer 3 protocols. Things such as UDP/TCP (layer 4) and application specific port numbers (layers 6 - 7) aren't included in that logic.

Mrock4

I believe you're looking for: One access list per direction per layer 3 protocol on each interface. You really don't have to worry about running into this issue on the CCNA..the best part to remember is one access list per direction..but keep the per layer 3 protocol part in mind too.

whoflungdung88

yeah, the last statement really didn't set it in stone. I am simply trying to point out, that in acl 101, can you either permit or deny.... telnet/23 smtp/25 ssh/22 https/443 etc, all together in this acl. Wether or not it block inbound or outbound traffic. Or is the book simply refering to as somebody was talking about, on protocol being ipx, ip, appletalk. Thanks

Mrock4

I'm sorry if I'm misinterpreting it but, if what you're saying is..one ACL..say, access-list 101..can you deny HTTP from one user (80)....SMTP (25) from another host....and telnet from a certain subnet? If that's what you're asking..then yes, you can.

sprkymrk

whoflungdung88 wrote:

Can somebody give me some input on extended acl's? Ok let's say I am starting out my ext acl list.
Example=

access-list 110 permit tcp any 172.22.0.0 0.0.255.255
access-list 110 permit tcp any host 172.22.15.83 eq 25
access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq 23
access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq 69
access-list 110 permit udp any host 172.22.15.85 eq 53

Maybe off-topic, but aren't your 2nd and 3rd lines redundent, since in your first line you already permitted TCP from anyone to your entire class B range of 172.22.0.0?

whoflungdung88

Mrock4 Posted: Fri Jun 15, 2007 3:20 pm Post subject:

I'm sorry if I'm misinterpreting it but, if what you're saying is..one ACL..say, access-list 101..can you deny HTTP from one user (80)....SMTP (25) from another host....and telnet from a certain subnet? If that's what you're asking..then yes, you can.

Yeah, that's pretty much where I was getting at. I realized, that it was redundant. But honestly, I just copypasta'd that from a site, i was reading up on regarding usage for acl's. Thanks again. tootles!