Solved: Re: How does lines in ACL work in Cisco Router 4300 ( Example inside )

Pravin Raj Kanagaraj · ‎12-18-2017

Please go through the below sample set of access list.

I see standard and extended acl combined and I also see several lines repeating, it's bit confusing.

In cisco asa firewalls lines will has a sequence but in router its bit confusing.

My question is how the traffic flows and permitted or denied?

In below example in line 30, the traffic has been allowed as well blocked, can someone help me out?

Standard IP access list notadvertise
10 deny 172.20.1.10
20 permit any (4 matches)
Standard IP access list yesnp
10 permit 121.242.139.189
20 permit 202.71.146.251
30 deny ip any any
Extended IP access list Res
10 permit ip host 202.71.146.251 any
20 permit ip host 121.242.139.189 any

30 permit ip any any
30 permit ip 10.91.1.0 0.0.0.255 any
Extended IP access list TAC
50 permit ip any any
Extended IP access list putty_acl
20 permit tcp host 61.12.94.130 any eq 22 log
30 permit tcp host 182.73.185.146 any eq 22 log
40 permit tcp host 61.8.146.97 any eq 22 log (8 matches)
50 permit tcp host 121.242.139.161 any eq 22 log
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet
20 deny tcp any any eq www
30 deny ip any any
40 permit ip any any

Regards,
Pravin Raj K
Network Engineer

Julio E. Moisa · ‎12-20-2017

Hi

That is correct the implicit deny is not displayed through the show run and the protocol IP will include everything.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎12-18-2017

Hi

The ACL lines are read from top to bottom, so for example: a deny ip any any is before to permit ip any any, the ACL will block everything.

Now I have not seen duplicated sequences into the same ACL (red and blue) before, it could be a bug.

Standard IP access list yesnp
10 permit 121.242.139.189
20 permit 202.71.146.251
30 deny ip any any
Extended IP access list Res
10 permit ip host 202.71.146.251 any
20 permit ip host 121.242.139.189 any

30 permit ip any any
30 permit ip 10.91.1.0 0.0.0.255 any

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Pravin Raj Kanagaraj · ‎12-18-2017

Hi Julio,

I understand that ACL's are read from top to bottom,

in my case line no 10 is repeated in various ACLs and hence I'm confused in this.

Could you explian what can be done better in below ACL?

This is my ACLs

ip access-list standard yesnp
permit 121.242.139.189
permit 202.71.146.251
deny any
!
ip access-list extended CAP-FILTER
permit esp host 121.242.139.169 host 49.50.106.173
permit esp host 49.50.106.173 host 121.242.139.169
ip access-list extended RES
permit ip host 103.224.181.7 any
ip access-list extended Res
permit ip host 202.71.146.251 any
permit ip host 121.242.139.189 any
permit ip host 172.20.1.10 any
permit ip host 111.67.34.253 any
permit ip 10.91.1.0 0.0.0.255 any
permit ip host 61.8.146.97 any
permit ip host 121.242.139.161 any
permit ip host 61.12.94.130 any
permit ip host 182.73.185.146 any
permit ip host 115.112.174.28 any
permit ip host 180.179.58.248 any
permit icmp any any
permit ip host 49.50.106.173 any
deny udp any any eq snmp
deny tcp any any eq discard
deny tcp any any eq daytime
deny tcp any any eq chargen
deny tcp any any eq telnet
deny tcp any any eq 22
deny tcp any any eq finger
deny tcp any any eq 5503
deny udp any any eq 5503
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
permit ip any any
ip access-list extended TAC
permit ip host 121.242.139.169 host 180.179.27.92
permit ip host 180.179.27.92 host 121.242.139.169

WVI-VSNL-ROUTER#sho acces
WVI-VSNL-ROUTER#sho access-li
WVI-VSNL-ROUTER#sho access-lists
Standard IP access list yesnp
10 permit 121.242.139.189
20 permit 202.71.146.251
30 deny any
Extended IP access list CAP-FILTER
10 permit esp host 121.242.139.169 host 49.50.106.173
20 permit esp host 49.50.106.173 host 121.242.139.169
Extended IP access list RES
10 permit ip host 103.224.181.7 any
Extended IP access list Res
10 permit ip host 202.71.146.251 any
20 permit ip host 121.242.139.189 any
30 permit ip host 172.20.1.10 any
40 permit ip host 111.67.34.253 any (409882 matches)
50 permit ip 10.91.1.0 0.0.0.255 any
60 permit ip host 61.8.146.97 any (55917 matches)
70 permit ip host 121.242.139.161 any (6 matches)
80 permit ip host 61.12.94.130 any (62829 matches)
90 permit ip host 182.73.185.146 any (606386 matches)
100 permit ip host 115.112.174.28 any (124748 matches)
110 permit ip host 180.179.58.248 any (37803476 matches)
240 permit icmp any any (3025728 matches)
245 permit ip host 49.50.106.173 any (899178 matches)
250 deny udp any any eq snmp (19697 matches)
280 deny tcp any any eq discard (320 matches)
290 deny tcp any any eq daytime (1363 matches)
300 deny tcp any any eq chargen (2728 matches)
310 deny tcp any any eq telnet (3257474 matches)
320 deny tcp any any eq 22 (798509 matches)
330 deny tcp any any eq finger (2511 matches)
340 deny tcp any any eq 5503 (58 matches)
350 deny udp any any eq 5503 (32 matches)
360 deny ip 127.0.0.0 0.255.255.255 any
370 deny ip 172.16.0.0 0.0.255.255 any (13191 matches)
380 deny ip 224.0.0.0 31.255.255.255 any
400 permit ip any any (596604891 matches)
Extended IP access list TAC
10 permit ip host 121.242.139.169 host 180.179.27.92
20 permit ip host 180.179.27.92 host 121.242.139.169
30 permit ip host 10.91.1.2 host 180.179.27.92
50 permit ip host 121.242.139.169 host 180.179.18.116
60 permit ip host 180.179.18.116 host 121.242.139.169
70 permit ip host 10.91.1.2 host 180.179.18.116
80 permit ip any any
Extended IP access list TAC1
10 permit ip host 10.91.1.2 host 180.179.27.92
20 permit ip host 180.179.27.92 host 10.91.1.2
30 permit ip host 10.91.1.2 host 111.67.34.253
40 permit ip host 111.67.34.253 host 10.91.1.2
Extended IP access list putty_acl
30 permit ip 61.8.146.96 0.0.0.15 any (18 matches)
40 permit ip 121.242.139.160 0.0.0.31 any (5 matches)
50 permit ip host 121.242.139.161 any
60 deny ip any any (60 matches)
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet
20 deny tcp any any eq www
30 deny tcp any any eq 22
40 permit ip any any

Regards,
Pravin Raj K
Network Engineer

Julio E. Moisa · ‎12-18-2017

Hi,

Please correct me if Im understanding wrong the question, for example the lines 10 below are included in different named ACL's, now on Router you can create ACL with lowercase or capital letter, it is sensitive, from my point of view is to use Capital letter because it is more easy to identify in the configuration. You can apply under the interface one ACL for inbound and one ACL for outbound traffic.

Standard IP access list yesnp
10 permit 121.242.139.189
20 permit 202.71.146.251
30 deny any
Extended IP access list CAP-FILTER
10 permit esp host 121.242.139.169 host 49.50.106.173
20 permit esp host 49.50.106.173 host 121.242.139.169
Extended IP access list RES
10 permit ip host 103.224.181.7 any
Extended IP access list Res
10 permit ip host 202.71.146.251 any
20 permit ip host 121.242.139.189 any
30 permit ip host 172.20.1.10 any

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Pravin Raj Kanagaraj · ‎12-18-2017

Yes, my question is line 30 says to deny traffic where as different ACL line 30 says to permit traffic to specific host.. so which takes effect??

Regards,
Pravin Raj K
Network Engineer

Yachay · ‎12-18-2017

Sir, the first thing you need to understand is that each access list is completely independent of the other ones. The second thing is that when you apply an access list on a port, you can only apply one access list in one direction. So, you will never see two access lists apply on the same port and in the same direction (in or out.)

After that, the sequence number 10 of the access list ABC is completely independent of the sequence number 10 of the access list XYZ.

Pravin Raj Kanagaraj · ‎12-19-2017

Perfect, thank you for the answer.

Since you say each ACLs work independent and now my question is how can I deny a traffic globally?

Should I add deny command at last line of each ACLs?

Regards,
Pravin Raj K
Network Engineer

Julio E. Moisa · ‎12-19-2017

Hi

Actually there is an implicit deny at the bottom for each ACL, all the traffic else will be dropped. But you could include a:

deny ip any any (extended ACLs) at the end of the ACL.

This link could be useful: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Pravin Raj Kanagaraj · ‎12-19-2017

Thank you, so I believe implicit deny command is invisible and deny ip any any denies all traffic that includes tcp, udp and all other protocols, right?

Regards,
Pravin Raj K
Network Engineer

Julio E. Moisa · ‎12-20-2017

Hi

That is correct the implicit deny is not displayed through the show run and the protocol IP will include everything.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Pravin Raj Kanagaraj · ‎12-20-2017

Brilliant, thank you so much

Regards,
Pravin Raj K
Network Engineer

Julio E. Moisa · ‎12-20-2017

You are welcome

Have a great day!

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎12-19-2017

Hi

The lines 30 displayed before belong to different ACL names so one line 30 will not affect other line 30. Each ACL has a different purpose.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<