Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
622
Views
0
Helpful
3
Replies

Confirmation on basic ACL extended-list

Go to solution
news2010a
Level 3
Level 3

‎09-02-2009 03:09 PM - edited ‎03-06-2019 07:33 AM

Hi, just wanted to confirm:

If I need to let only two IP addresses (1.1.1.1 and 1.1.1.2) connect to server 192.168.206.5, I should bring line 40-70 to the top of the access-list below, correct?

!

ip access-list extended LETTWOPEOPLECONNECT

10 permit icmp any any

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

40 permit ip any host 1.1.1.1

50 permit ip any host 1.1.1.2

60 permit ip host 1.1.1.1 any

70 permit ip host 1.1.1.2 any

80 permit ip any any

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎09-02-2009 03:19 PM

We don't know the direction of this ACL (in|out).

Knowing the direction will help saving some entries such as:

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

can be just one entry

20 deny ip host 192.168.206.5 any

or

30 deny ip any host 192.168.206.5

But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.

__

Edison.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-02-2009 03:18 PM

Marlon

Yes you would need to move the entries above line 20. Actually you could just write 2 more specific entries ie.

11 permit ip host 1.1.1.1 host 192.168.206.5

12 permit ip host 1.1.1.2 host 192.168.206.5

You could make them even more specific by using only the relevant ports (TCP/UDP) that 1.1.1.1/2 need to connect to on server 192.168.206.5

I'm assuming this acl is applied inbound on the relevant interface.

Jon

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎09-02-2009 03:19 PM

We don't know the direction of this ACL (in|out).

Knowing the direction will help saving some entries such as:

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

can be just one entry

20 deny ip host 192.168.206.5 any

or

30 deny ip any host 192.168.206.5

But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.

__

Edison.

0 Helpful

Go to solution
news2010a
Level 3
Level 3
In response to Edison Ortiz

‎09-02-2009 03:21 PM

Thanks!!! You guys rule.

0 Helpful
Customers Also Viewed These Support Documents
Top