Standard access list trouble

stephendonavan · ‎11-19-2023

Currently practicing with standard access lists

I have lans labeled below

lan 1

192.168.100.0/25

pc 1

192.168.100.10

pc2

192.168.100.11/25

lan2

pc1

192.168.100.140/25

lan3

192.168.20.0/26

pc

192.168.20.2/26

lan4

10.10.200.0/24

server 1 10.10.200.10/24

server2 10.10.200.20/24

my goal right now is to create a standard acl that only allows lan1/pc2 to access lan3 while denying any other address and lan to access lan3. So far I'm a little stumped. I've provided my quick config below with my notes. I've tried filtering both in and out of the interface on my router but but each time every lan has access to lan3 when I filter traffic out of int g0/1 and the opposite when I filter the incoming traffic onto g 0/1.

1a. Add an ACE that allows only LAN1pc2 to reach the Lan3 network
1b. Add a deny any statement to block all other networks from the Horse network

access-list 10 remark ACE permits only LAN1/pc2 on LAN3
access-list 10 permit 192.168.100.11 0.0.0.127
access-list 10 deny any
int g0/1
ip access-group 10 out

balaji.bandi · ‎11-19-2023

if you looking only PC 2 access Lan3 and rest to be deinied - below example will do the work :

access-list 10 permit ip host 192.168.100.11 192.168.20.0 0.0.0.63 (this allow PC2 to access LAN3)

access-list 10 deny any ( rest all denied)

the ACL to be applied depends on the router where the traffic like to come in or out (depends on requirement)

further example :

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

M02@rt37 · ‎11-19-2023

Hello @stephendonavan

You need to make sure to deny all other traffic after that specific permit statement.

access-list 10 remark ACE_permits_only_LAN1-pc2 _on_LAN3
access-list 10 permit 192.168.100.11 0.0.0.127
access-list 10 deny any any log

interface GigabitEthernet0/1
ip access-group 10 out

This should be applied in the outbound direction on the interface leading towards LAN3.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Burts · ‎11-20-2023

I am not clear what is the right response for the original post, but feel that I must say M02@rt37 for all the good responses that you provide I am amazed that you do not remember that in every acl at the end is the implicit deny any.

HTH

Rick

M02@rt37 · ‎11-20-2023

Hello @Richard Burts

You're totally right.

To go further, log is not implicit. If you need, for a good reason (sometimes), to log the denied packets, so the implicit "deny rule" has to be explicite and marker with log command. Being aware that with this log parameter in the ACL it will result in packet's process switching.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Burts · ‎11-21-2023

I agree with these points:

- if you just want that the other traffic will not go through then the implicit deny is sufficient.

- if you for some reason want to log the denied packets then the implicit deny any is not sufficient and the deny any log command is needed.

- if you use the log parameter then it forces every denied packet to be process switched, which impacts performance.

HTH

Rick