Easy ACL question

drew2000drew2000 Posts: 290Member
Hey All,
I have any easy ACL question. I am working with a router at work and found this in the ACL list for INBOUND on an interface:

"permit ip any 10.1.5.0 0.0.0.255"

From what I remember about ACL's, this should permit any host to send data inbound on any port to my network (10.1.5.0/24).

So, this basically invalidates the rest of the lines in my ACL, right? (the other lines allow a few ports through here and here to the 10.1.5./24 network).

Thanks,
Drew

Comments

  • MrRyteMrRyte Posts: 348Member
    drew2000 wrote: »
    So, this basically invalidates the rest of the lines in my ACL, right? (the other lines allow a few ports through here and here to the 10.1.5./24 network).

    Thanks,
    Drew
    Could you post the ACL so that we can have a more complete picture?
    NEXT UP: CompTIA Security+ :study:

    Life is a matter of choice not chance. The path to your destiny will be paved by the decisions that you make every day.
  • networker050184networker050184 Posts: 11,962Mod Mod
    Yes, permitting IP is going to allow all TCP/UDP ports.
    An expert is a man who has made all the mistakes which can be made.
  • drew2000drew2000 Posts: 290Member
    MrRyte wrote: »
    Could you post the ACL so that we can have a more complete picture?

    I will try to post the whole thing tomorrow, thanks!
  • JaCkNiFeJaCkNiFe Posts: 96Member ■■□□□□□□□□
    drew2000 wrote: »
    Hey All,
    I have any easy ACL question. I am working with a router at work and found this in the ACL list for INBOUND on an interface:

    "permit ip any 10.1.5.0 0.0.0.255"

    From what I remember about ACL's, this should permit any host to send data inbound on any port to my network (10.1.5.0/24).

    So, this basically invalidates the rest of the lines in my ACL, right? (the other lines allow a few ports through here and here to the 10.1.5./24 network).

    Thanks,
    Drew

    ACLs are processed in a top down fashion so another variable to consider is the placement of the "permit ip any 10.1.5.0 0.0.0.255" statement in your list.
    Lab on!
  • drew2000drew2000 Posts: 290Member
    Here is the full ACL:

    It is setup INBOUND on a router interface on the 10.1.5.x/24 network.

    Again, I think this line neutralizes most of the ACL "permit ip any 10.1.5.0 0.0.0.255," but am looking for validation.

    ip access-list extended LANtoServers
    permit ip any 10.1.1.0 0.0.0.255
    permit ip 10.1.1.0 0.0.0.255 any
    permit icmp host 10.1.50.2 any
    permit icmp any host 10.1.50.2
    permit ip any 10.1.5.0 0.0.0.255
    permit tcp any eq 443 host 10.1.50.2 established
    permit tcp any eq 902 host 10.1.50.2 established
    permit tcp any eq 903 host 10.1.50.2 established
    permit tcp any eq 8443 host 10.1.50.2 established
    permit tcp any eq 8084 host 10.1.50.2 established
    permit tcp any eq 8096 host 10.1.50.2 established
    permit tcp any eq www host 10.1.50.2 established
  • JaCkNiFeJaCkNiFe Posts: 96Member ■■□□□□□□□□
    drew2000 wrote: »
    Here is the full ACL:

    It is setup INBOUND on a router interface on the 10.1.5.x/24 network.

    Again, I think this line neutralizes most of the ACL "permit ip any 10.1.5.0 0.0.0.255," but am looking for validation.

    ip access-list extended LANtoServers
    1 permit ip any 10.1.1.0 0.0.0.255
    2 permit ip 10.1.1.0 0.0.0.255 any
    3 permit icmp host 10.1.50.2 any
    4 permit icmp any host 10.1.50.2
    5 permit ip any 10.1.5.0 0.0.0.255
    6 permit tcp any eq 443 host 10.1.50.2 established
    7 permit tcp any eq 902 host 10.1.50.2 established
    8 permit tcp any eq 903 host 10.1.50.2 established
    9 permit tcp any eq 8443 host 10.1.50.2 established
    10 permit tcp any eq 8084 host 10.1.50.2 established
    11 permit tcp any eq 8096 host 10.1.50.2 established
    12 permit tcp any eq www host 10.1.50.2 established

    line 5 will not affect/be affected by any of your statements in this list given the fact it makes the only reference to the 10.1.5.x subnet.
    Lab on!
  • drew2000drew2000 Posts: 290Member
    Jackknife,
    Is it a true statment that line 5 allows traffic from ANY source IP and ANY protocol into the 10.1.5.x subnet?

    I thought the first "ANY" was "any source IP." So if the network tied to this interface has ANY traffic allowed into that network, what is the point on any other lines in the ACL? (keeping in mind that this ACL is setup INBOUND on the interface).

    Thanks !!

    Drew
  • JaCkNiFeJaCkNiFe Posts: 96Member ■■□□□□□□□□
    drew2000 wrote:
    Is it a true statment that line 5 allows traffic from ANY source IP and ANY protocol into the 10.1.5.x subnet?

    I thought the first "ANY" was "any source IP." So if the network tied to this interface has ANY traffic allowed into that network, what is the point on any other lines in the ACL? (keeping in mind that this ACL is setup INBOUND on the interface).

    Thanks !!

    Drew

    You are correct about the first 'any' being the source.

    The ACL would read 'permit any traffic coming from any IP address with a destination to the subnet 10.1.5.0 0.0.0.255.'
    Yes, permitting IP is going to allow all TCP/UDP ports.

    Yes, as Mr. Networker contributed, permitting IP allows all TCP/UDP traffic.

    My question is why are you concerned about the latter statements considering they refer to the 10.1.50.x subnet and not the 10.1.5.x subnet?

    Cheers :)
    Lab on!
  • drew2000drew2000 Posts: 290Member
    Thanks for the fast reply. I am just trying to make sense of the config. I need to move the ACL from an old router to a new L3 Switch. I am trying to fully understand what they have in place so that I can help make the new config better and more simple if possible.

    Since this is an inbound ACL, I think I can drop out some of these statements since not all of the subnets make sense for this interface.

    For example, line 4:

    permit icmp any host 10.1.50.2

    Since this ACL is applied inbound, I shouldn't need to allow a host to ping 10.1.50.2 (a workstation on a separate interface). That would be done on an outbound ACL (which I don't need to do).

    Thanks,
    Drew
Sign In or Register to comment.