11-19-2023 04:27 AM - last edited on 11-19-2023 05:59 AM by rupeshah
Currently practicing with standard access lists
I have lans labeled below
lan 1
192.168.100.0/25
pc 1
192.168.100.10
pc2
192.168.100.11/25
lan2
pc1
192.168.100.140/25
lan3
192.168.20.0/26
pc
192.168.20.2/26
lan4
10.10.200.0/24
server 1 10.10.200.10/24
server2 10.10.200.20/24
my goal right now is to create a standard acl that only allows lan1/pc2 to access lan3 while denying any other address and lan to access lan3. So far I'm a little stumped. I've provided my quick config below with my notes. I've tried filtering both in and out of the interface on my router but but each time every lan has access to lan3 when I filter traffic out of int g0/1 and the opposite when I filter the incoming traffic onto g 0/1.
1a. Add an ACE that allows only LAN1pc2 to reach the Lan3 network
1b. Add a deny any statement to block all other networks from the Horse network
access-list 10 remark ACE permits only LAN1/pc2 on LAN3
access-list 10 permit 192.168.100.11 0.0.0.127
access-list 10 deny any
int g0/1
ip access-group 10 out
11-19-2023 04:47 AM
if you looking only PC 2 access Lan3 and rest to be deinied - below example will do the work :
access-list 10 permit ip host 192.168.100.11 192.168.20.0 0.0.0.63 (this allow PC2 to access LAN3)
access-list 10 deny any ( rest all denied)
the ACL to be applied depends on the router where the traffic like to come in or out (depends on requirement)
further example :
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
11-19-2023 05:20 AM - edited 11-20-2023 10:18 PM
Hello @stephendonavan
You need to make sure to deny all other traffic after that specific permit statement.
access-list 10 remark ACE_permits_only_LAN1-pc2 _on_LAN3
access-list 10 permit 192.168.100.11 0.0.0.127
access-list 10 deny any any log
interface GigabitEthernet0/1
ip access-group 10 out
This should be applied in the outbound direction on the interface leading towards LAN3.
11-20-2023 05:56 PM
I am not clear what is the right response for the original post, but feel that I must say M02@rt37 for all the good responses that you provide I am amazed that you do not remember that in every acl at the end is the implicit deny any.
11-20-2023 10:25 PM - edited 11-21-2023 02:43 AM
Hello @Richard Burts
You're totally right.
To go further, log is not implicit. If you need, for a good reason (sometimes), to log the denied packets, so the implicit "deny rule" has to be explicite and marker with log command. Being aware that with this log parameter in the ACL it will result in packet's process switching.
11-21-2023 06:27 AM
I agree with these points:
- if you just want that the other traffic will not go through then the implicit deny is sufficient.
- if you for some reason want to log the denied packets then the implicit deny any is not sufficient and the deny any log command is needed.
- if you use the log parameter then it forces every denied packet to be process switched, which impacts performance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide