Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
3
Replies

Acess-list

prashantrecon
Level 1
Level 1

‎09-13-2011 01:42 AM - edited ‎03-11-2019 02:23 PM

Hi

In firewall traffic flows from higher level to lower level by default.

If I apply access-list to deny particular traffic say 10.1.1.0 /24 network  should not flow to lower interface level and apply access-list on inside interface.

Is that remaining network traffic say 192.168.1.0 /24 will also be blocked.

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-13-2011 01:46 AM

When you configure access-list to deny, you will also need to explicitly configure the allow for the remaining of the other networks that you would like to allow, because there is an implicit deny any any at the end of the access-list.

In your scenario, if you just want to block 10.1.1.0/24 network, then you can configure the following:

access-list inside-acl deny ip 10.1.1.0 255.255.255.0 any

access-list inside-acl permit ip any any

OR/ if you want to be more restrictive, you can also configure the following:

access-list inside-acl deny ip 10.1.1.0 255.255.255.0 any

access-list inside-acl permit ip 192.168.1.0 255.255.255.0 any

0 Helpful

prashantrecon
Level 1
Level 1
In response to Jennifer Halim

‎09-13-2011 02:30 AM

Thank you,

So same concept as on routers.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to prashantrecon

‎09-13-2011 03:15 AM

Yes, absolutely correct, same concept as access-list on routers.

Pls kindly mark the post as answered if you have no further question. Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card