cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

access-list not working

colpal
Beginner
Beginner

I configured an access-list to allow anybody on one side of a small frame relay link to access only one server on the other side. It does not work, anybody can access anybody.

access-list 104 permit ip host a.b.c.d any

access-list 104 deny ip any any

access-list 104 deny tcp any any eq 1352

accessaccess-list 104 permit ip any any

Remarks? Thanks in advance, folks

3 REPLIES 3

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

We can not really answer your question till you tell us not only what was configured in the list but also tell us how the list was applied (on what interface and in what direction).

I notice in the list that the second statement is deny ip any any which will deny all traffic. This means that the third and fourth statements in the list will never be executed. I doubt that this is what you meant. The best practice for access lists is for statements with any any (whether it is permit any any or it is deny any any) to be the last statement in the access list.

HTH

Rick

HTH

Rick

wkumari
Beginner
Beginner

Access lists are processed in top down order - this means that you are first allowing access to the host a.b.c.d (access-list 104 permit ip host a.b.c.d any), then you are blocking everything else (ccess-list 104 deny ip any any ), this means that the 3rd and 4th lines are never evaluated.

If is seems that the ACL is not doing ANYTHING, make sure htat you have it aplpied to the right interface and in the right direction.

Warren

Hi copal,

first of all... the command that permits traffich to the server is in a wrong order...

access-list 104 permit ip any any host abcd (eg. eq http).

Next u should use the LOG Keyword if u apply an access.list for the first time... Especially for the deny ip any any statement.

Now some words for the access-list logic...

Its a bit tricky.

In your case u used diffrent specializations of an extended Access-list. the Problem about this is, if there is a matching entry for a packet, but not all possible keywords are used. The access-list logic searches for a more specific entry. In your case, there is no other more specific entry and the last one is to permit all traffic (top down). So all Traffic is permitted...

here is the right order in wich it might Work

permit ip any any

permit ip any any host a.b.c.d

deny tcp any any eq 1352

deny ip any any log

hope this will help.

Sebastian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: