https://community.cisco.com/t5/network-security/ace-ordering/m-p/2674873#M194333 <P>Hi,&nbsp;</P><P>I have a really long&nbsp;access list that has the following 2 entries, in this order, contained in it:</P><P>show ip access-list blah</P><P>&lt;output omitted&gt;&nbsp;</P><P>1010 &nbsp;deny ip any 192.168.1.128 0.0.0.63 log &nbsp;(no matches)<BR />1200 &nbsp;permit tcp host 192.168.1.130 gt 1023 any eq www (matches actively incrementing at the rate of 2 or 3 every few seconds)&nbsp;</P><P>&lt;output omitted&gt;&nbsp;</P><P>since the host 192.168.1.130 is contained within the subnet denied in the previous statement, I am at a loss to explain why the TCP traffic to the specific host is not ALSO denied by the previous line.</P><P>&nbsp;</P><P>Anybody got a clue as to what might cause this? &nbsp;What obvious thing am I missing? &nbsp;I thought the hit counter only incremented if traffic was matched, and it really doesn't look like the tcp/80 traffic from 192.168.1.130 should be allowed.</P><P>(1st 3 octets of the IP address were changed to private, but the mask and the last octet are the same)</P><P>Thanks!</P><P>Sue</P> Tue, 12 Mar 2019 06:10:54 GMT sue.nall 2019-03-12T06:10:54Z https://community.cisco.com/t5/network-security/ace-ordering/m-p/2674873#M194333 <P>Hi,&nbsp;</P><P>I have a really long&nbsp;access list that has the following 2 entries, in this order, contained in it:</P><P>show ip access-list blah</P><P>&lt;output omitted&gt;&nbsp;</P><P>1010 &nbsp;deny ip any 192.168.1.128 0.0.0.63 log &nbsp;(no matches)<BR />1200 &nbsp;permit tcp host 192.168.1.130 gt 1023 any eq www (matches actively incrementing at the rate of 2 or 3 every few seconds)&nbsp;</P><P>&lt;output omitted&gt;&nbsp;</P><P>since the host 192.168.1.130 is contained within the subnet denied in the previous statement, I am at a loss to explain why the TCP traffic to the specific host is not ALSO denied by the previous line.</P><P>&nbsp;</P><P>Anybody got a clue as to what might cause this? &nbsp;What obvious thing am I missing? &nbsp;I thought the hit counter only incremented if traffic was matched, and it really doesn't look like the tcp/80 traffic from 192.168.1.130 should be allowed.</P><P>(1st 3 octets of the IP address were changed to private, but the mask and the last octet are the same)</P><P>Thanks!</P><P>Sue</P> Tue, 12 Mar 2019 06:10:54 GMT https://community.cisco.com/t5/network-security/ace-ordering/m-p/2674873#M194333 sue.nall 2019-03-12T06:10:54Z https://community.cisco.com/t5/network-security/ace-ordering/m-p/2674874#M194334 <P>Line 1010 is deny <STRONG>FROM</STRONG>&nbsp;any&nbsp;to the subnet</P><P>Line 1200 is permit from a host in the subnet <STRONG>TO</STRONG> any</P><P>Assuming it's on a stateful firewall, the reflexive ACL will allow the return traffic that is generated by traffic being allowed by line 1200.</P> Thu, 25 Jun 2015 03:14:55 GMT https://community.cisco.com/t5/network-security/ace-ordering/m-p/2674874#M194334 Marvin Rhoads 2015-06-25T03:14:55Z https://community.cisco.com/t5/network-security/ace-ordering/m-p/2674875#M194335 <P>Thanks Marvin, I can't believe I missed that! &nbsp;I'm re structuring these massive ACLs on HSRP pairs of routers and I'm just going cross eyed looking at that. &nbsp;Silly question, but I appreciate the response.</P><P>Sue</P> Thu, 25 Jun 2015 13:03:24 GMT https://community.cisco.com/t5/network-security/ace-ordering/m-p/2674875#M194335 sue.nall 2015-06-25T13:03:24Z