07-27-2004 05:21 AM - edited 02-20-2020 09:25 PM
Hello, I just want to confirm that if I have an ccess-list that deny ip any any at the end of my config, this will include denying all other tcp or udp (such as deny udp any any eq 135, eq tftp, etc. etc.), right? Here's a config of my router that runs IOS firewall.
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
enable secret xxxx
enable password xxx
!
memory-size iomem 25
ip subnet-zero
!
!
!
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
interface Ethernet0
ip address 24.x.x.x.x.255.224
ip access-group 112 in
ip nat outside
half-duplex
!
interface FastEthernet0
ip address 192.168.13.30 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect ethernetin in
speed auto
!
interface Serial0
no ip address
shutdown
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 24.39.95.193
no ip http server
!
!
access-list 1 permit 192.0.0.0 0.255.255.255
access-list 101 permit tcp 192.0.0.0 0.255.255.255 any
access-list 101 permit udp 192.0.0.0 0.255.255.255 any
access-list 101 permit icmp 192.0.0.0 0.255.255.255 any
access-list 101 permit gre 192.0.0.0 0.255.255.255 any
access-list 101 deny ip any any log
access-list 112 permit icmp any 24.39.95.0 0.0.0.255 unreachable
access-list 112 permit icmp any 24.39.95.0 0.0.0.255 echo-reply
access-list 112 permit icmp any 24.39.95.0 0.0.0.255 packet-too-big
access-list 112 permit icmp any 24.39.95.0 0.0.0.255 time-exceeded
access-list 112 permit icmp any 24.39.95.0 0.0.0.255 traceroute
access-list 112 permit icmp any 24.39.95.0 0.0.0.255 administratively-prohibited
access-list 112 permit icmp any 24.39.95.0 0.0.0.255 echo
access-list 112 permit gre any 24.39.95.0 0.0.0.255
access-list 112 deny ip any any log
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Thank you in advance for your opinion.
07-27-2004 11:10 AM
Correct.Deny ip any any will drop all traffic not specified above it. But remember that acl's are processed top down until a match is found and then no further acl processing is performed.
Hope that helps.
Joe
04-17-2017 12:10 PM
Deny IP Any Any is diferent of the Deny Any any
04-10-2020 11:20 AM
Please explain. thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide