access-list: first deny object then allow or otherwise?

[jonas21]

Hi,

i got a strange problem. As far as i know cisco acl parses the acls from top to bottom and stops on the first match.
Well, right now i have the following acl:
access-list acl_out deny ip any 80.131.0.0 255.255.0.0 (hitcnt=0)
access-list acl_out permit tcp any host 81.2.x.x eq smtp (hitcnt=2)

I can still connect from a 80.131.x.x host to 81.2.x.x on the smtp port. The hitcount says so, too. I dont know what happening there, the pix should parse the deny rule and deny all traffic then, but apparently it doesnt. Any ideas?

 

[iiiiss]

HI

with the first acl you just deny access TO the 80.131.0.0 ... not traffic FROM it I think .....

 

[jonas21]

To clarify:
acl_out is bound to the outside interface!

I am pretty sure that the syntax is correct...

 

[iiiiss]

It was clear that you have to bind the acl to the right interface.

To make this clear :
>>>>>I can still connect from a 80.131.x.x host to 81.2.x.x on

... you want to deny access- from 80.131.x.x to 81.2.x.x

If that is right then you have to write :

access-l .... deny ip host 80.131.x.x h 81.2.x.x


with :

>>>>> access-list acl_out permit tcp any host 81.2.x.x eq smtp

you permit tcp traffic over smtp from any host to 81.2.x.x

and with :

>>>> access-list acl_out deny ip any 80.131.0.0 255.255.0.0

you jsut deny traffic that comes from outside to 80.131.0.0


Hope I am right...

 

[jonas21]

WOW that worked. Thanks alot!