Solved: Access Control List

chhay.heng · ‎03-27-2011

"access-list 100 deny ip host 192.168.2.10 host 192.168.3.11"

it should deny a single host, but why 192.168.2.10 can't access all ip in 192.168.3.0.

Thanks in advance

Shrikant Sundaresh · ‎03-27-2011

Hi Chem,

To add to what Marcin has written in the earlier post, there is an implicit "deny ip any any" at the end of every access-list.

So this means, that if you make just the ACL you have made "access-list 100 deny ip host 192.168.2.10 host 192.168.3.11"

and apply this to one of the interfaces, "access-group 100 in int inside" for examle,

then it actually looks like:

access-list 100 deny ip host 192.168.2.10 host 192.168.3.11

access-list 100 deny ip any any [hidden]

and therefore no traffic will pass through.

Instead if you configure it this way:

access-list 100 deny ip host 192.168.2.10 host 192.168.3.11

access-list 100 permit ip host 192.168.2.10 192.168.3.0 255.255.255.0

and then apply it to an interface, then 192.168.2.10 will be able to communicate with everything in 192.168.3.0 /24 except for .11.

Hope this helps.

PS: Kindly mark the post answered if your question is answered, and kindly rate helpful posts.

View solution in original post

Marcin Latosiewicz · ‎03-27-2011

Chem,

There is little data here to move forward, we don't know what the rest of ACL looks like or what the platform, topology/scenario is.

The access-list is just saying traffic from host A host B is not interesting. Access-list are used for MATCHING traffic, not dropping. You apply access-list to access-group command to make access-group drop traffic.

Marcin

Shrikant Sundaresh · ‎03-27-2011

Hi Chem,

To add to what Marcin has written in the earlier post, there is an implicit "deny ip any any" at the end of every access-list.

So this means, that if you make just the ACL you have made "access-list 100 deny ip host 192.168.2.10 host 192.168.3.11"

and apply this to one of the interfaces, "access-group 100 in int inside" for examle,

then it actually looks like:

access-list 100 deny ip host 192.168.2.10 host 192.168.3.11

access-list 100 deny ip any any [hidden]

and therefore no traffic will pass through.

Instead if you configure it this way:

access-list 100 deny ip host 192.168.2.10 host 192.168.3.11

access-list 100 permit ip host 192.168.2.10 192.168.3.0 255.255.255.0

and then apply it to an interface, then 192.168.2.10 will be able to communicate with everything in 192.168.3.0 /24 except for .11.

Hope this helps.

PS: Kindly mark the post answered if your question is answered, and kindly rate helpful posts.

chhay.heng · ‎03-28-2011

Dear Sundaresh,

Yeah， thanks...it's what i want! But...access-list 100 permit ip host 192.168.2.10 192.168.3.0 255.255.255.0, it should be 0.0.0.255,right?

Regards,

Chhayheng

Setecuniversity student

Shrikant Sundaresh · ‎03-29-2011

Hi Chem,

I'm sorry about the mask. It would be 0.0.0.255 on a router, while it would be 255.255.255.0 on a firewall.

I primarily work with firewalls, so intuitively wrote the subnet mask.

-Shrikant