cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1164
Views
0
Helpful
7
Replies

Access-list

akachroo123
Level 1
Level 1

I am adding a new network 10.102.251.0/25 and for this network i have allow only http & https traffic.

I have one access-list 122 mapped to serial port through which internet traffic flows.

So how can i modify existing access-list as it is allowing all the traffic except some deny statements.

access-list 122 deny tcp any any eq 1025

access-list 122 deny tcp any any eq 2967

access-list 122 permit ip any any

Or should i create a new one say 123 access-list and map it to the serial interface.

Like

access-list 123 permit tcp 10.102.251.0 0.0.0.127 any eq 80

access-list 123 permit tcp 10.102.251.0 0.0.0.127 any eq 443

7 Replies 7

fred.mancen
Level 1
Level 1

Hey buddy.

I think it is easier to create a new ACL and map it to the interface, no doubt. The example is ok and it will work, once you need to permit just these two TCP ports and deny all other traffic.

Regards.

But when the internet traffic leaves the serial interface how will router decide which access-list to check.

does access-list have some priority.

Hi

You can apply one access-list per interface per direction. So you cannot apply 2 separate access-lists to the same interface in the same direction.

You need to combine your 2 access-lists into 1 and then apply that.

Jon

This is my exisiting access-list.

access-list 122 deny tcp any any eq 1025

access-list 122 deny tcp any any eq 2967

access-list 122 permit ip any any

I want to permit http traffic for this network 10.102.251.0/25.

So how can i combine them.

Hi

Which direction is access-list 122 applied in and which direction do you want to allow http to/from ?

Your access-list 122 has a permit ip any any which covers all tcp/udp/icmp so you shouldn't need to explicitly permit tcp/http.

Jon

Direction is out and i also want to apply out for the new network.

If i add network 10.102.251.0 before the last statement.it will not work, what i am guessing.

Hi

Your last line of access-list 122 says

permit ip any any

Therefore you do not need to add the lines for 10.102.251.0 as the ip any any covers this traffic.

Jon

Review Cisco Networking for a $25 gift card