what does this ACL mean?

itdaddyitdaddy Senior MemberMember Posts: 2,088 ■■■■□□□□□□
Hey Guys,
can some one explain the the bolden ACL statements mean below
and why this guy put them there. It is like denying and the permitting the samething but the ACL will hit the deny 1st and won't it desregard the permit any how? so why even put it. I can put the permit any since we have the implied deny all but doesn't the ACL stop at the deny ip and what good the the permit ip do if it stops I think at deny ip? thanks icon_study.gif

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit udp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 53
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 established
access-list 101 permit udp 10.0.1.0 0.0.0.255 eq 53 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any




Comments

  • shodownshodown Member Posts: 2,271
    access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255


    the 1st part you are denying the 10.0.0.0/24 from having access to the 10.0.1.0/24 network

    Then the next statement is permiting everything else.


    The next statement is the same thing with the networks swapped.

    Then on the E0 interface you are applying the 100 access-list inbound. On the other one you are applying the 101 access-list inbound.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    itdaddy wrote: »
    It is like denying and the permitting the samething
    Read it carefully, source is the same in the two lines, but the destination is different.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less
    - discounted vouchers for certs
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    aaaahhh I see it has been awhile since I read ACLs I see now it is different. one is like you said denying access to a network and the other is allowing everything else thru on this. thanks just need a 2nd and 3rd opnion. I see now..thanks mates!icon_thumright.gif
Sign In or Register to comment.