Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
5
Helpful
2
Replies

ACE ordering

Go to solution
sue.nall
Level 1
Level 1

‎06-24-2015 02:05 PM - edited ‎03-11-2019 11:10 PM

Hi, 

I have a really long access list that has the following 2 entries, in this order, contained in it:

show ip access-list blah

<output omitted> 

1010  deny ip any 192.168.1.128 0.0.0.63 log  (no matches)
1200  permit tcp host 192.168.1.130 gt 1023 any eq www (matches actively incrementing at the rate of 2 or 3 every few seconds) 

<output omitted> 

since the host 192.168.1.130 is contained within the subnet denied in the previous statement, I am at a loss to explain why the TCP traffic to the specific host is not ALSO denied by the previous line.

 

Anybody got a clue as to what might cause this?  What obvious thing am I missing?  I thought the hit counter only incremented if traffic was matched, and it really doesn't look like the tcp/80 traffic from 192.168.1.130 should be allowed.

(1st 3 octets of the IP address were changed to private, but the mask and the last octet are the same)

Thanks!

Sue

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-24-2015 08:14 PM

Line 1010 is deny FROM any to the subnet

Line 1200 is permit from a host in the subnet TO any

Assuming it's on a stateful firewall, the reflexive ACL will allow the return traffic that is generated by traffic being allowed by line 1200.

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-24-2015 08:14 PM

Line 1010 is deny FROM any to the subnet

Line 1200 is permit from a host in the subnet TO any

Assuming it's on a stateful firewall, the reflexive ACL will allow the return traffic that is generated by traffic being allowed by line 1200.

Go to solution
sue.nall
Level 1
Level 1
In response to Marvin Rhoads

‎06-25-2015 06:03 AM

Thanks Marvin, I can't believe I missed that!  I'm re structuring these massive ACLs on HSRP pairs of routers and I'm just going cross eyed looking at that.  Silly question, but I appreciate the response.

Sue

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card