https://community.cisco.com/t5/network-access-control/acl/m-p/4071988#M559847 Thank you, sir.<BR /><BR />It works well.<BR />Does ACL execute the access-list in order?<BR />It seems everything after "permit ip any any" will be ignore, isn`t it? (I still can access the ftp server.)<BR />!<BR />ip access-group 101 out<BR />access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www<BR />access-list 101 permit ip any any<BR />access-list 101 deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp<BR />! Thu, 23 Apr 2020 03:14:24 GMT will75136 2020-04-23T03:14:24Z https://community.cisco.com/t5/network-access-control/acl/m-p/4071878#M559841 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="000.PNG" style="width: 739px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/72613i5573143052CBC5D2/image-size/large?v=v2&amp;px=999" role="button" title="000.PNG" alt="000.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3333.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/72614i7F77C2885449FFE2/image-size/large?v=v2&amp;px=999" role="button" title="3333.PNG" alt="3333.PNG" /></span></P><P>Hello experts, I have a question about ACL.</P><P>I have configured the first requirement like below on both R1 and R2.</P><P>!</P><P>access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www</P><P>!&nbsp;</P><P>Though it works, I found that my PC in 192.168.3.0 network could not ping 192.168.1.0 network either.</P><P>Is there something I miss?</P> Wed, 22 Apr 2020 23:16:33 GMT https://community.cisco.com/t5/network-access-control/acl/m-p/4071878#M559841 will75136 2020-04-22T23:16:33Z https://community.cisco.com/t5/network-access-control/acl/m-p/4071888#M559843 <P>&nbsp;</P><P>do you have permit ip any any ?</P><P>each ACL has impicit <U>deny</U> at the end of ACL; Such entry is <U>not visible</U> normally. &nbsp; therefore, you need permit any Or <EM>permit ip any any</EM> Or specific network/host.&nbsp; i,e permit<EM> icmp any</EM> <EM>any</EM> to ping , in your example, you may see <EM>access-list 101 deny ip any any</EM> as last entry.</P><P>if you want to ping or allow other traffic, add <EM>access-list 101 permit ip any any</EM></P><P>&nbsp;</P><P>Regards, ML<BR />**Please Rate All Helpful Responses **</P> Wed, 22 Apr 2020 23:57:18 GMT https://community.cisco.com/t5/network-access-control/acl/m-p/4071888#M559843 Martin L 2020-04-22T23:57:18Z https://community.cisco.com/t5/network-access-control/acl/m-p/4071988#M559847 Thank you, sir.<BR /><BR />It works well.<BR />Does ACL execute the access-list in order?<BR />It seems everything after "permit ip any any" will be ignore, isn`t it? (I still can access the ftp server.)<BR />!<BR />ip access-group 101 out<BR />access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www<BR />access-list 101 permit ip any any<BR />access-list 101 deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp<BR />! Thu, 23 Apr 2020 03:14:24 GMT https://community.cisco.com/t5/network-access-control/acl/m-p/4071988#M559847 will75136 2020-04-23T03:14:24Z https://community.cisco.com/t5/network-access-control/acl/m-p/4072010#M559849 <BR />Yes, ACL order is from top to the bottom but it can stop once the match is found. In your case, you have 3 lines, line 3 is never read because line 2 will match all traffic (everything). router will never get to line 3. you have to re-arrange order. Thu, 23 Apr 2020 04:17:05 GMT https://community.cisco.com/t5/network-access-control/acl/m-p/4072010#M559849 Martin L 2020-04-23T04:17:05Z