- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 12:14 AM
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 03:43 AM
Hello,
if you don't add the last line:
permit ip any any
then indeed, the implicit deny all will block all other traffic that is not explicitly permitted.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 12:32 AM
Hello,
exactly. IP includes all UDP and TCP protocols...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 12:41 AM - edited 02-17-2020 12:42 AM
so lets say for example i do deny ip host 192.168.1.3 any
does that mean it will block icmp, tcp , udp and others ?
or only tcp and udp ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 12:54 AM
Hello,
that's right, 'deny ip host 192.168.1.3 any' will block all protocols including ICMP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 01:00 AM
wow dude thanks for answering that really cleared things up.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 01:09 AM
Hello,
keep in mind that access lists are processed top down, so the order matters. If you want to e.g. allow ICMP, but deny anyting else, the access list would be:
permit icmp host 192.168.1.3 any
deny ip host 192.168.1.3 any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 01:32 AM - edited 02-17-2020 01:37 AM
alright so is this what you mean ?. so for example want to block ssh access to everyone else except on person.
would this work.
permit tcp host 192.168.1.2 any eq 22
deny tcp any any eq 22
permit ip any any-> I added this because i think there is a deny ip any any at the end by default ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 01:40 AM
Hello,
exactly. Looks like you got the hang of it.
permit tcp host 192.168.1.2 any eq 22
deny tcp any any eq 22
permit ip any any
This allows SSH for just that one host, 192.168.1.2, and denies SSH for all others. It allows everything else for all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 01:48 AM - edited 02-17-2020 01:49 AM
does the implicit deny at the end block all traffic ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2020 03:43 AM
Hello,
if you don't add the last line:
permit ip any any
then indeed, the implicit deny all will block all other traffic that is not explicitly permitted.
