Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23070
Views
9
Helpful
3
Replies

What access-list deny ip any any means

jlawan
Level 1
Level 1

‎07-27-2004 05:21 AM - edited ‎02-20-2020 09:25 PM

Hello, I just want to confirm that if I have an ccess-list that deny ip any any at the end of my config, this will include denying all other tcp or udp (such as deny udp any any eq 135, eq tftp, etc. etc.), right? Here's a config of my router that runs IOS firewall.

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

enable secret xxxx

enable password xxx

!

memory-size iomem 25

ip subnet-zero

!

!

!

ip inspect name ethernetin cuseeme timeout 3600

ip inspect name ethernetin ftp timeout 3600

ip inspect name ethernetin h323 timeout 3600

ip inspect name ethernetin http timeout 3600

ip inspect name ethernetin rcmd timeout 3600

ip inspect name ethernetin realaudio timeout 3600

ip inspect name ethernetin smtp timeout 3600

ip inspect name ethernetin sqlnet timeout 3600

ip inspect name ethernetin streamworks timeout 3600

ip inspect name ethernetin tcp timeout 3600

ip inspect name ethernetin tftp timeout 30

ip inspect name ethernetin udp timeout 15

ip inspect name ethernetin vdolive timeout 3600

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

interface Ethernet0

ip address 24.x.x.x.x.255.224

ip access-group 112 in

ip nat outside

half-duplex

!

interface FastEthernet0

ip address 192.168.13.30 255.255.255.0

ip access-group 101 in

ip nat inside

ip inspect ethernetin in

speed auto

!

interface Serial0

no ip address

shutdown

!

ip nat inside source list 1 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 24.39.95.193

no ip http server

!

!

access-list 1 permit 192.0.0.0 0.255.255.255

access-list 101 permit tcp 192.0.0.0 0.255.255.255 any

access-list 101 permit udp 192.0.0.0 0.255.255.255 any

access-list 101 permit icmp 192.0.0.0 0.255.255.255 any

access-list 101 permit gre 192.0.0.0 0.255.255.255 any

access-list 101 deny ip any any log

access-list 112 permit icmp any 24.39.95.0 0.0.0.255 unreachable

access-list 112 permit icmp any 24.39.95.0 0.0.0.255 echo-reply

access-list 112 permit icmp any 24.39.95.0 0.0.0.255 packet-too-big

access-list 112 permit icmp any 24.39.95.0 0.0.0.255 time-exceeded

access-list 112 permit icmp any 24.39.95.0 0.0.0.255 traceroute

access-list 112 permit icmp any 24.39.95.0 0.0.0.255 administratively-prohibited

access-list 112 permit icmp any 24.39.95.0 0.0.0.255 echo

access-list 112 permit gre any 24.39.95.0 0.0.0.255

access-list 112 deny ip any any log

!

!

line con 0

line aux 0

line vty 0 4

login

!

end

Thank you in advance for your opinion.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

joe_wilkins2001
Level 1
Level 1

‎07-27-2004 11:10 AM

Correct.Deny ip any any will drop all traffic not specified above it. But remember that acl's are processed top down until a match is found and then no further acl processing is performed.

Hope that helps.

Joe

maxrafael
Level 1
Level 1

‎04-17-2017 12:10 PM

Deny IP Any Any is diferent of the Deny Any any

jimmycher
Level 1
Level 1
In response to maxrafael

‎04-10-2020 11:20 AM

Please explain.  thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents