Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
3
Replies

Confirmation on basic ACL extended-list

Go to solution
news2010a
Participant
Participant

‎09-02-2009 03:09 PM - edited ‎03-06-2019 07:33 AM

Hi, just wanted to confirm:

If I need to let only two IP addresses (1.1.1.1 and 1.1.1.2) connect to server 192.168.206.5, I should bring line 40-70 to the top of the access-list below, correct?

!

ip access-list extended LETTWOPEOPLECONNECT

10 permit icmp any any

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

40 permit ip any host 1.1.1.1

50 permit ip any host 1.1.1.2

60 permit ip host 1.1.1.1 any

70 permit ip host 1.1.1.2 any

80 permit ip any any

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame Mentor Hall of Fame Mentor
Hall of Fame Mentor

‎09-02-2009 03:19 PM

We don't know the direction of this ACL (in|out).

Knowing the direction will help saving some entries such as:

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

can be just one entry

20 deny ip host 192.168.206.5 any

or

30 deny ip any host 192.168.206.5

But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.

__

Edison.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

‎09-02-2009 03:18 PM

Marlon

Yes you would need to move the entries above line 20. Actually you could just write 2 more specific entries ie.

11 permit ip host 1.1.1.1 host 192.168.206.5

12 permit ip host 1.1.1.2 host 192.168.206.5

You could make them even more specific by using only the relevant ports (TCP/UDP) that 1.1.1.1/2 need to connect to on server 192.168.206.5

I'm assuming this acl is applied inbound on the relevant interface.

Jon

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame Mentor Hall of Fame Mentor
Hall of Fame Mentor

‎09-02-2009 03:19 PM

We don't know the direction of this ACL (in|out).

Knowing the direction will help saving some entries such as:

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

can be just one entry

20 deny ip host 192.168.206.5 any

or

30 deny ip any host 192.168.206.5

But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.

__

Edison.

0 Helpful

Go to solution
news2010a
Participant
Participant
In response to Edison Ortiz

‎09-02-2009 03:21 PM

Thanks!!! You guys rule.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents