Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
7
Replies

Access-list

akachroo123
Level 1
Level 1

‎09-06-2007 11:00 AM - edited ‎03-03-2019 06:38 PM

I am adding a new network 10.102.251.0/25 and for this network i have allow only http & https traffic.

I have one access-list 122 mapped to serial port through which internet traffic flows.

So how can i modify existing access-list as it is allowing all the traffic except some deny statements.

access-list 122 deny tcp any any eq 1025

access-list 122 deny tcp any any eq 2967

access-list 122 permit ip any any

Or should i create a new one say 123 access-list and map it to the serial interface.

Like

access-list 123 permit tcp 10.102.251.0 0.0.0.127 any eq 80

access-list 123 permit tcp 10.102.251.0 0.0.0.127 any eq 443

Labels:
0 Helpful
7 Replies 7

fred.mancen
Level 1
Level 1

‎09-06-2007 12:03 PM

Hey buddy.

I think it is easier to create a new ACL and map it to the interface, no doubt. The example is ok and it will work, once you need to permit just these two TCP ports and deny all other traffic.

Regards.

0 Helpful

akachroo123
Level 1
Level 1
In response to fred.mancen

‎09-06-2007 12:30 PM

But when the internet traffic leaves the serial interface how will router decide which access-list to check.

does access-list have some priority.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to akachroo123

‎09-06-2007 12:34 PM

Hi

You can apply one access-list per interface per direction. So you cannot apply 2 separate access-lists to the same interface in the same direction.

You need to combine your 2 access-lists into 1 and then apply that.

Jon

0 Helpful

akachroo123
Level 1
Level 1
In response to Jon Marshall

‎09-06-2007 12:42 PM

This is my exisiting access-list.

access-list 122 deny tcp any any eq 1025

access-list 122 deny tcp any any eq 2967

access-list 122 permit ip any any

I want to permit http traffic for this network 10.102.251.0/25.

So how can i combine them.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to akachroo123

‎09-06-2007 12:47 PM

Hi

Which direction is access-list 122 applied in and which direction do you want to allow http to/from ?

Your access-list 122 has a permit ip any any which covers all tcp/udp/icmp so you shouldn't need to explicitly permit tcp/http.

Jon

0 Helpful

akachroo123
Level 1
Level 1
In response to Jon Marshall

‎09-06-2007 01:13 PM

Direction is out and i also want to apply out for the new network.

If i add network 10.102.251.0 before the last statement.it will not work, what i am guessing.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to akachroo123

‎09-06-2007 01:24 PM

Hi

Your last line of access-list 122 says

permit ip any any

Therefore you do not need to add the lines for 10.102.251.0 as the ip any any covers this traffic.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card