what does this ACL mean?

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
Hey Guys,
can some one explain the the bolden ACL statements mean below
and why this guy put them there. It is like denying and the permitting the samething but the ACL will hit the deny 1st and won't it desregard the permit any how? so why even put it. I can put the permit any since we have the implied deny all but doesn't the ACL stop at the deny ip and what good the the permit ip do if it stops I think at deny ip? thanks icon_study.gif

interface Ethernet0
description LAN interface
ip address
ip access-group 100 in
ip nat inside
interface Ethernet1
description WAN interface
ip address
ip nat outside
interface Ethernet2
description DMZ interface
ip address
ip access-group 101 in
ip nat inside
ip route
ip nat inside source list 10 interface Ethernet1 overload
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit
access-list 100 remark Restricted Inside network Access
access-list 100 permit tcp
access-list 100 permit udp eq 53
access-list 100 deny ip
access-list 100 permit ip any
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp established
access-list 101 permit udp eq 53
access-list 101 deny ip
access-list 101 permit ip any


  • Options
    shodownshodown Member Posts: 2,271
    access-list 100 deny ip

    the 1st part you are denying the from having access to the network

    Then the next statement is permiting everything else.

    The next statement is the same thing with the networks swapped.

    Then on the E0 interface you are applying the 100 access-list inbound. On the other one you are applying the 101 access-list inbound.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • Options
    ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    itdaddy wrote: »
    It is like denying and the permitting the samething
    Read it carefully, source is the same in the two lines, but the destination is different.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    - discounted vouchers for certs
  • Options
    itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    aaaahhh I see it has been awhile since I read ACLs I see now it is different. one is like you said denying access to a network and the other is allowing everything else thru on this. thanks just need a 2nd and 3rd opnion. I see now..thanks mates!icon_thumright.gif
Sign In or Register to comment.