Solved: Basic Access list Question

dan_track · ‎05-09-2006

Hi

I've got a few access lists configured that allow certain services through, like http,dns etc.

My question is why do my routers and firewalls deny packets when I haven't put any explicit deny statements in my configs?

Thanks for your help in advance.

Dan

Richard Burts · ‎05-09-2006

Dan

I am not sure that I fully understand your question. But I believe that the answer to your question is that an access list has an implicit deny at the bottom of the access list. You do not need to configure it but effectively the last line in every access list is deny any any. So even if you do not code deny statements in the access list any packet that goes through the entire access list without matching a permit statement will match the implicit deny and be denied.

Some people do configure an explicit deny any any as the last line. I sometimes do it so that it is clear what is happening with the access list. Also having the statement configured means that when I do show access list there will be a counter showing how many times things fell through the list and were denied. Also as a troubleshooting aid sometimes I will code the last line as deny any any and add the log parameter so that there are log records for the packets that were denied.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎05-09-2006

Dan

I am not sure that I fully understand your question. But I believe that the answer to your question is that an access list has an implicit deny at the bottom of the access list. You do not need to configure it but effectively the last line in every access list is deny any any. So even if you do not code deny statements in the access list any packet that goes through the entire access list without matching a permit statement will match the implicit deny and be denied.

Some people do configure an explicit deny any any as the last line. I sometimes do it so that it is clear what is happening with the access list. Also having the statement configured means that when I do show access list there will be a counter showing how many times things fell through the list and were denied. Also as a troubleshooting aid sometimes I will code the last line as deny any any and add the log parameter so that there are log records for the packets that were denied.

HTH

Rick

HTH

Rick