ACL - why does "eq www" go at the end rather than in the middle?

Hi,
I'm looking at a question in a book about ACLs but I can't get my head round why "eq www" has to go at the end.
Question = From web client 192.168.99.99/28, sent to a web server in subnet
192.168.176.0/28. Match all hosts in the client’s subnet as well.

Answer = access-list 106 permit tcp 192.168.99.96 0.0.0.15 192.168.176.0 0.0.0.15 eq www

What would be the result of using "access-list 106 permit tcp 192.168.99.96 0.0.0.15 eq www 192.168.176.0 0.0.0.15" instead?

thanks ,
Andrew

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

theodoxa

The Destination Port is 80 (www). The source port could be anything over 1024. Generally, for Client to Server (Direction) Traffic, the port/service would be part of the destination.

EdTheLad

The web server is hosting the page and terminates incoming dst tcp port 80.
An extended access-list uses src dst in that order.

From client 192.168.99.99 which is the src you want to access the server subnet 192.168.176.0 which is the destination.
The client will pick a random tcp src port between the range 49152 through 65535, the dst port is 80. If you choose 80 as your src port you wont hit the ACL. You cant match the src port exactly as you dont know what will be choosen by the client, but you can configure an acl to match a range of ports.

mikeybinec

Here's one from Odom that matches your question:

Q: What access list matches packets going to any web client from all web servers whose IP addresses begin with
172.16.5?

A: access-list 2353 permit tcp 172.16.5.0 0.0.0.255 eq www any