Easy ACL question

drew2000

Hey All,
I have any easy ACL question. I am working with a router at work and found this in the ACL list for INBOUND on an interface:

"permit ip any 10.1.5.0 0.0.0.255"

From what I remember about ACL's, this should permit any host to send data inbound on any port to my network (10.1.5.0/24).

So, this basically invalidates the rest of the lines in my ACL, right? (the other lines allow a few ports through here and here to the 10.1.5./24 network).

Thanks,
Drew

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

MrRyte

drew2000 wrote: »

So, this basically invalidates the rest of the lines in my ACL, right? (the other lines allow a few ports through here and here to the 10.1.5./24 network).

Thanks,
Drew

Could you post the ACL so that we can have a more complete picture?

networker050184

Yes, permitting IP is going to allow all TCP/UDP ports.

drew2000

MrRyte wrote: »

Could you post the ACL so that we can have a more complete picture?

I will try to post the whole thing tomorrow, thanks!

JaCkNiFe

drew2000 wrote: »

Hey All,
I have any easy ACL question. I am working with a router at work and found this in the ACL list for INBOUND on an interface:

"permit ip any 10.1.5.0 0.0.0.255"

From what I remember about ACL's, this should permit any host to send data inbound on any port to my network (10.1.5.0/24).

So, this basically invalidates the rest of the lines in my ACL, right? (the other lines allow a few ports through here and here to the 10.1.5./24 network).

Thanks,
Drew

ACLs are processed in a top down fashion so another variable to consider is the placement of the "permit ip any 10.1.5.0 0.0.0.255" statement in your list.

drew2000

Here is the full ACL:

It is setup INBOUND on a router interface on the 10.1.5.x/24 network.

Again, I think this line neutralizes most of the ACL "permit ip any 10.1.5.0 0.0.0.255," but am looking for validation.

ip access-list extended LANtoServers
permit ip any 10.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
permit icmp host 10.1.50.2 any
permit icmp any host 10.1.50.2
permit ip any 10.1.5.0 0.0.0.255
permit tcp any eq 443 host 10.1.50.2 established
permit tcp any eq 902 host 10.1.50.2 established
permit tcp any eq 903 host 10.1.50.2 established
permit tcp any eq 8443 host 10.1.50.2 established
permit tcp any eq 8084 host 10.1.50.2 established
permit tcp any eq 8096 host 10.1.50.2 established
permit tcp any eq www host 10.1.50.2 established

JaCkNiFe

drew2000 wrote: »

Here is the full ACL:

It is setup INBOUND on a router interface on the 10.1.5.x/24 network.

Again, I think this line neutralizes most of the ACL "permit ip any 10.1.5.0 0.0.0.255," but am looking for validation.

ip access-list extended LANtoServers
1 permit ip any 10.1.1.0 0.0.0.255
2 permit ip 10.1.1.0 0.0.0.255 any
3 permit icmp host 10.1.50.2 any
4 permit icmp any host 10.1.50.2
5 permit ip any 10.1.5.0 0.0.0.255
6 permit tcp any eq 443 host 10.1.50.2 established
7 permit tcp any eq 902 host 10.1.50.2 established
8 permit tcp any eq 903 host 10.1.50.2 established
9 permit tcp any eq 8443 host 10.1.50.2 established
10 permit tcp any eq 8084 host 10.1.50.2 established
11 permit tcp any eq 8096 host 10.1.50.2 established
12 permit tcp any eq www host 10.1.50.2 established

line 5 will not affect/be affected by any of your statements in this list given the fact it makes the only reference to the 10.1.5.x subnet.

drew2000

Jackknife,
Is it a true statment that line 5 allows traffic from ANY source IP and ANY protocol into the 10.1.5.x subnet?

I thought the first "ANY" was "any source IP." So if the network tied to this interface has ANY traffic allowed into that network, what is the point on any other lines in the ACL? (keeping in mind that this ACL is setup INBOUND on the interface).

Thanks !!

Drew

JaCkNiFe

drew2000 wrote:

Is it a true statment that line 5 allows traffic from ANY source IP and ANY protocol into the 10.1.5.x subnet?

I thought the first "ANY" was "any source IP." So if the network tied to this interface has ANY traffic allowed into that network, what is the point on any other lines in the ACL? (keeping in mind that this ACL is setup INBOUND on the interface).

Thanks !!

Drew

You are correct about the first 'any' being the source.

The ACL would read 'permit any traffic coming from any IP address with a destination to the subnet 10.1.5.0 0.0.0.255.'

networker050184 wrote: »

Yes, permitting IP is going to allow all TCP/UDP ports.

Yes, as Mr. Networker contributed, permitting IP allows all TCP/UDP traffic.

My question is why are you concerned about the latter statements considering they refer to the 10.1.50.x subnet and not the 10.1.5.x subnet?

Cheers

drew2000

Thanks for the fast reply. I am just trying to make sense of the config. I need to move the ACL from an old router to a new L3 Switch. I am trying to fully understand what they have in place so that I can help make the new config better and more simple if possible.

Since this is an inbound ACL, I think I can drop out some of these statements since not all of the subnets make sense for this interface.

For example, line 4:

permit icmp any host 10.1.50.2

Since this ACL is applied inbound, I shouldn't need to allow a host to ping 10.1.50.2 (a workstation on a separate interface). That would be done on an outbound ACL (which I don't need to do).

Thanks,
Drew