Solved: ACE ordering

sue.nall · ‎06-24-2015

Hi,

I have a really long access list that has the following 2 entries, in this order, contained in it:

show ip access-list blah

1010 deny ip any 192.168.1.128 0.0.0.63 log (no matches)
1200 permit tcp host 192.168.1.130 gt 1023 any eq www (matches actively incrementing at the rate of 2 or 3 every few seconds)

since the host 192.168.1.130 is contained within the subnet denied in the previous statement, I am at a loss to explain why the TCP traffic to the specific host is not ALSO denied by the previous line.

Anybody got a clue as to what might cause this? What obvious thing am I missing? I thought the hit counter only incremented if traffic was matched, and it really doesn't look like the tcp/80 traffic from 192.168.1.130 should be allowed.

(1st 3 octets of the IP address were changed to private, but the mask and the last octet are the same)

Thanks!

Sue

Marvin Rhoads · ‎06-24-2015

Line 1010 is deny FROM any to the subnet

Line 1200 is permit from a host in the subnet TO any

Assuming it's on a stateful firewall, the reflexive ACL will allow the return traffic that is generated by traffic being allowed by line 1200.

View solution in original post

Marvin Rhoads · ‎06-24-2015

Line 1010 is deny FROM any to the subnet

Line 1200 is permit from a host in the subnet TO any

Assuming it's on a stateful firewall, the reflexive ACL will allow the return traffic that is generated by traffic being allowed by line 1200.

sue.nall · ‎06-25-2015

Thanks Marvin, I can't believe I missed that! I'm re structuring these massive ACLs on HSRP pairs of routers and I'm just going cross eyed looking at that. Silly question, but I appreciate the response.

Sue