ACL help

Confused on this. If I'm writing an acl to say permit 1 host 10.10.1.1 access to a special web-server 192.190.10.10 .
I thought I would write it.

access-list 100 permit ip host 10.10.1.1 host 192.190.10.10 (then write the other permits or deny statements) I just found another book which states I should write as a TCP instead of IP.

access-list 100 permit tcp host 10.10.1.1 host 192.190.10.10. Is 1 correct. On my lab-sim both work. Really what will the exam sim show if something like this comes up.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

ToddB

I for got something What I seen was
access-list 100 permit tcp host 10.10.1.1 host 192.190.1.1 eq 80

up2thetime

ToddB wrote: »

I should write as a TCP instead of IP.

Using the keyword "ip" will permit all IP traffic from the source to destination. If you use the keyword "tcp" then services that use TCP will be permitted.

In the first case you are permitting IP traffic only, and anything that runs over IP will be allowed. In the second case, only TCP traffic is allowed. The "eq 80" specifies a destination port of 80. This is because services other than www utilize TCP.

Remember, IP can carry a number of different packets types, not just TCP.
Also remember that TCP is used by many applications, not just www.

ayori

up2thetime wrote: »

Using the keyword "ip" will permit all IP traffic from the source to destination. If you use the keyword "tcp" then services that use TCP will be permitted.

In the first case you are permitting IP traffic only, and anything that runs over IP will be allowed. In the second case, only TCP traffic is allowed. The "eq 80" specifies a destination port of 80. This is because services other than www utilize TCP.

Remember, IP can carry a number of different packets types, not just TCP.
Also remember that TCP is used by many applications, not just www.

Agreed and just to add - you create ACLs based on the requirements. If the requirement states something like "permit the host 10.10.1.1 to access 192.190.10.10 on any ports, both TCP and UDP" then your statement with the keyword "ip" will work.

If the requirement is to permit ONLY HTTP access from 10.10.1.1 to 192.190.10.10, then your second tcp statement will work (HTTP uses TCP as its transport protocol and by default, on port 80). access-list 100 permit ip host 10.10.1.1 host 192.190.10.10 will also work however, you are permitting too much. What if you didn't want FTP, Telnet, or SSH access to 192.190.10.10?

It is also important that you understand the flow of traffic so that you could apply the access-list on the proper interface and intended direction (inbound or outbound).

ToddB

Thanks this site is great!