cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3350
Views
10
Helpful
3
Replies

ACL

will75136
Level 1
Level 1

000.PNG3333.PNG

Hello experts, I have a question about ACL.

I have configured the first requirement like below on both R1 and R2.

!

access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www

Though it works, I found that my PC in 192.168.3.0 network could not ping 192.168.1.0 network either.

Is there something I miss?

2 Accepted Solutions

Accepted Solutions

Martin L
VIP
VIP

 

do you have permit ip any any ?

each ACL has impicit deny at the end of ACL; Such entry is not visible normally.   therefore, you need permit any Or permit ip any any Or specific network/host.  i,e permit icmp any any to ping , in your example, you may see access-list 101 deny ip any any as last entry.

if you want to ping or allow other traffic, add access-list 101 permit ip any any

 

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post


Yes, ACL order is from top to the bottom but it can stop once the match is found. In your case, you have 3 lines, line 3 is never read because line 2 will match all traffic (everything). router will never get to line 3. you have to re-arrange order.

View solution in original post

3 Replies 3

Martin L
VIP
VIP

 

do you have permit ip any any ?

each ACL has impicit deny at the end of ACL; Such entry is not visible normally.   therefore, you need permit any Or permit ip any any Or specific network/host.  i,e permit icmp any any to ping , in your example, you may see access-list 101 deny ip any any as last entry.

if you want to ping or allow other traffic, add access-list 101 permit ip any any

 

Regards, ML
**Please Rate All Helpful Responses **

Thank you, sir.

It works well.
Does ACL execute the access-list in order?
It seems everything after "permit ip any any" will be ignore, isn`t it? (I still can access the ftp server.)
!
ip access-group 101 out
access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www
access-list 101 permit ip any any
access-list 101 deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp
!


Yes, ACL order is from top to the bottom but it can stop once the match is found. In your case, you have 3 lines, line 3 is never read because line 2 will match all traffic (everything). router will never get to line 3. you have to re-arrange order.