Solved: Access list help

burgessjt · ‎09-21-2004

Is there an order in which the access lists need to be in or am I missing something else?

I have a connection to a vendor and I need them to be able to ping my outside interface and block everything else to that interface... I have the following set currently but they still are not able to ping. What am I missing?

ip access-list extended noaccess

deny ip any host 10.10.10.5

deny ip any host 10.10.10.7

permit ip any any

permit icmp X.X.X.0 0.0.0.255 host 10.10.10.7 echo

blamerson · ‎09-21-2004

Yes, access-lists have a specific order, once a rule is matched from top to bottom, it processes the packets based on that rule. So, you're on the right track..

ip access-list ex noaccess

deny ip any host 10.10.10.5

permit icmp x.x.x.0 0.0.0.255 host 10.10.10.7 echo

deny ip any host 10.10.10.7

permit ip any any

IP is inclusive of TCP, UDP, ICMP, etc., so when you deny ip for 10.10.10.7, it matches that rule and denies ICMP for 10.10.10.7, and never gets to the "permit icmp". It's also best to put your most often accessed rules toward the top so that you use less CPU per packet. If your ACL's start getting long winded and this is an internet router, then usually you'll put a permit tcp any any eq 80 & permit tcp any any eq 443 to the top of the ACL.

View solution in original post

tomanderin · ‎09-21-2004

you don't need the last line, but what what are the 10.10.10.5 & 10.10.10.7, if they are the inferfaces in question you have denied anything destined for them

access lists should be constructed starting with the more specific at the top

burgessjt · ‎09-21-2004

X.X.X.5 would be my internal interface

x.x.x.7 is my external interface

I do want to block access to these interfaces with the exception of allowing ping from the specified range x.x.x.0 0.0.0.255 to the x.x.x.7 interface

so wouldn't I need the last line to allow the icmp?

is it a matter of just re-arranging the order? or do I need to do something different?

Kevin Dorrell · ‎09-21-2004

First question: yes, the order of the lines is significant; The lines are processed strictly in the order they appear. For example, in your access list, the last line is redundant because the penultimate line already allows everything. In fact, it looks to me as if you intended the last line to be at the top. You need to delete the access list ("no ip access-list extended noaccess") and re-type it in the correct order.

Second point: it matters where you apply the access list, and in which direction, i.e. where you have the access-group command, and whether it is specified as input or output.

Thirdly, bear in mind that access lists filter packets, not connections. For a ping to work, the packets must be able to flow in both directions: for the outgoing ping, and for the response.

Hope this helps.

Kevin Dorrell

Luxembourg

blamerson · ‎09-21-2004

Yes, access-lists have a specific order, once a rule is matched from top to bottom, it processes the packets based on that rule. So, you're on the right track..

ip access-list ex noaccess

deny ip any host 10.10.10.5

permit icmp x.x.x.0 0.0.0.255 host 10.10.10.7 echo

deny ip any host 10.10.10.7

permit ip any any

IP is inclusive of TCP, UDP, ICMP, etc., so when you deny ip for 10.10.10.7, it matches that rule and denies ICMP for 10.10.10.7, and never gets to the "permit icmp". It's also best to put your most often accessed rules toward the top so that you use less CPU per packet. If your ACL's start getting long winded and this is an internet router, then usually you'll put a permit tcp any any eq 80 & permit tcp any any eq 443 to the top of the ACL.

burgessjt · ‎09-21-2004

Thanks, I think that's what I needed, I'll go try it now. Thanks for the eq 80 and eq 443 tip also.

J~