Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL 1

Status
Not open for further replies.
omegabetax

omegabetax

Technical User
Joined
Jun 20, 2006
Messages
54
Location
RO
Hi,

I want to know why must I use in ACL:

...deny tcp ...
...permit ip any any

Why permit ip ad not tcp?

Thanks
 
Sort by date Sort by votes
omegabetax,

Need a little more information - what are you trying to deny. It really depends on what you are trying to do!

ACLs are VERY powerfull and VERY unforgiving! If you do not set them up correctly you can shutdown your router to all traffic.

Normally you permit or deny TCP and UDP protocols and then permit IP in general to let in all traffic not specified.

Here is just a small example of some ACL statements but they can be very complex and hard to just paste in place without understanding what you are doing -

deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 172.16.0.0 0.0.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip host 255.255.255.255 any
deny ip any 10.0.0.0 0.255.255.255 log-input
deny ip any 172.16.0.0 0.0.255.255 log-input
deny icmp any any redirect
deny icmp any any timestamp-request
deny icmp any any information-request
remark 445 is Sasser
deny tcp any any eq 445 log-input
remark 135 is MSBlaster
deny tcp any any eq 135 log-input
remark 1433 is MS-SQL Hello Buffer overflow
deny tcp any any eq 1433 log-input
permit ip any any
deny ip any any log-input

Hope this helps!


E.A. Broda
CCNA, CCDA, CCAI, Network +
 
Upvote 0 Downvote


"Normally you permit or deny TCP and UDP protocols and then permit IP in general to let in all traffic not specified"

This is the question. Why must I have a couple like this:
deny tcp any any eq 1433 log-input
permit ip any any

and not
deny tcp any any eq 1433 log-input
permit tcp any any

Thanks
 
Upvote 0 Downvote
There is an implicit "Deny everything" at the end of every ACL.

So exactly what you are saying there is to block anything on TCP port 443 (Secure HTTP) but let in all other IP stuff. You could have specified "permit tcp any any" but that would not let in any other UDP stuff.

As CiscoGuy33 said "ACL's are VERY powerful"

I've seen 500 page textbooks just about them!

MCP,CCA, Net+, Half CCNP...
 
Upvote 0 Downvote

It seems that you must explain me:
'You could have specified "permit tcp any any" but that would not let in any other UDP stuff'

What is difference when you deny TCP and deny IP ?

Thanks
 
Upvote 0 Downvote
Do you know what IP is?

TCP?
UDP?

it sounds a patronising question, but they are different things and not to be mistaken.

MCP,CCA, Net+, Half CCNP...
 
Upvote 0 Downvote
Of course I know that TCP ad UDP acts on the same layer(4) and IP on the layer 3. I'm newcomer in ACL and maybe the question doesn't have the proper form.
I want to block access from host H1(router R1) to host H2(router R2) for ping, telnet, http

R1
deny icmp host H1 host H2
deny tcp host H1 host H2 eq 23
permit icmp any any
permit tcp any any
Is that corect?

For Http I don't know how I can do the ACL

Thanks
 
Upvote 0 Downvote
you could do that, but just "permit IP any any" would suffice also, your choice.

to block http, just deny TCP port 80

eg:
deny tcp host H1 host H2 eq 80

or
deny tcp host H1 host H2 eq www



MCP,CCA, Net+, Half CCNP...
 
Upvote 0 Downvote

Thanks for response NettableWalker. I hope you'll not rail me but please explain me in brief why permit IP any any would be sufficient.

 
Upvote 0 Downvote
omegabetax,

TCP and UDP are layer 4 protocols and they are on top of IP layer 3, as NettableWalker said there is a "hidden" deny everything in the end of any access-list, some thing like that:

permit...
deny...
.
.
.
deny tcp any any eq 1433 log-input
deny everything else (you don't see it)

If you say:

deny tcp any any eq 1433 log-input
permit tcp any any

as TCP is on top of IP, hence TCP/IP (TCP and UDP are inside of a IP package) if you permit TCP any any, you still have the "deny everything else in the end" end anything else, i mean anything, will be droped.
Hope it helps.



Niltinho
BEng,CCNA,MCSA,CNA
 
Upvote 0 Downvote
It is sort of like: specifying all IP encompasses all TCP, UDP etc.

typing one command instead of multiple ones.

MCP,CCA, Net+, Half CCNP...
 
Upvote 0 Downvote
And also saves processing load in the device.

You also need to make a balance depending of the situation you have.

in your case you are denying certain things only, so it means you want to permit anything else.

another cenario (more restrict)would be permit certain things only, so it means you want to deny anything else.

Niltinho
BEng,CCNA,MCSA,CNA
 
Upvote 0 Downvote
OK. It was about PDU. Thanks to all
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

skk391
  • Locked
  • Question Question
Blocking Websites using ACL
Replies
2
Views
268
skk391
skk391
burtsbees
  • Locked
  • Question Question
ACL deny ip host x.x.x.x any no work
Replies
11
Views
518
burtsbees
burtsbees
maczen
  • Locked
  • Question Question
CBAC VS REFLEXIVE ACL
Replies
9
Views
253
maczen
maczen
niqd
  • Locked
  • Question Question
ACL question
Replies
4
Views
221
thecrow123456
thecrow123456
dan0923
  • Locked
  • Question Question
ACL SIM QUESTION
Replies
4
Views
181
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top