Solved: ACL setup

Mitchell Theriot · ‎03-17-2011

I am trying to setup an ACE on our ASA 5520 where I need to allow a subnet access but block 2 ip address within that subnet. Should I do the permit statement for the subnet first or should I put the deny statement for the ip addresses first? For example say I did an permit statement for host 10.170.8.0 255.255.255.0 to include that whole subnet, but I wanted to deny access just for 10.170.8.5 and 10.170.8.6. Would that be:

access-list OUT extended deny ip host 10.170.8.5 any any

access-list OUT extended deny ip host 10.170.8.6 any any

access-list OUT extended permit ip host 10.170.8.0 255.255.255.0 any any

PAUL GILBERT ARIAS · ‎03-17-2011

the deny statements first and then the permit statements. You have it correct.

access-list OUT extended deny ip host 10.170.8.5 any any

access-list OUT extended deny ip host 10.170.8.6 any any

access-list OUT extended permit ip host 10.170.8.0 255.255.255.0 any

Remember the access-group

View solution in original post

PAUL GILBERT ARIAS · ‎03-17-2011

the deny statements first and then the permit statements. You have it correct.

access-list OUT extended deny ip host 10.170.8.5 any any

access-list OUT extended deny ip host 10.170.8.6 any any

access-list OUT extended permit ip host 10.170.8.0 255.255.255.0 any

Remember the access-group