I applied the following ACL to my routers serial interface (inbound), when I did this when could not get onto the web, emails, and etc. our internal lan is 10.1.1.0/24 and our dmz is 192.168.20.0/24 . Am I missing something.
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
- Follow via:
- RSS
- Email Alert
Question
0
Votes
Answers (2)
0
Votes
are you kidding?
humm lemme think ...deny any means allow some???
22nd Feb 2008
Replies
deny any means deny any matches.
anything else is allowed, unless there is an explicit "deny all if no matches found" at the end of your ACL.
your logic just threw my brain for a loop.
anything else is allowed, unless there is an explicit "deny all if no matches found" at the end of your ACL.
your logic just threw my brain for a loop.
DanKe
22nd Feb 2008
there is an implicit deny at the end of any ACL so unless specifically allowed, traffic is denied.
this guy put in an ACL deny any for a range of addresses including loopback address and with the implicit deny at the end of the ACL all traffic will be denied access that is within that range.
this guy put in an ACL deny any for a range of addresses including loopback address and with the implicit deny at the end of the ACL all traffic will be denied access that is within that range.
CG IT
22nd Feb 2008
i just slapped together a 2600xm and you were right 
man.. it's been a couple years.
so you are saying he should put an explicit permit all at the end of the ACL, correct?
so anything that isn't denied (non-private network addresses) is allowed through
man.. it's been a couple years.
so you are saying he should put an explicit permit all at the end of the ACL, correct?
so anything that isn't denied (non-private network addresses) is allowed through
DanKe
22nd Feb 2008
anything that isn't allowed is denied. That's how Cisco ACLs work. There is an implicit deny statement [hidden] on all Cisco ACL lists so that unless you specify allow, the last rule processed is deny [deny both inbound and outbound]. Note: this is particular to ACLs so if you don't use ACLs then there isn't a deny rule invoked.
CG IT
22nd Feb 2008
if you add an explicit "permit foobar any any" to the end of the ACL, then anything that isn't denied, is permitted.
right?
read my reply before this again..
right?
read my reply before this again..
DanKe
22nd Feb 2008
if you put in the wildcard permit any any which permits any and all.
Traffic is compared to the ACL and rules are processed. if there is no rule allowing then the implicit deny takes effect.
Traffic is compared to the ACL and rules are processed. if there is no rule allowing then the implicit deny takes effect.
CG IT
22nd Feb 2008
0
Votes
a little bit
I'm guessing you are denying private IP's from accessing your LAN/DMZ.
Are you sure you are applying it to the correct interface?
If you are sure, then add "log" to the end of those acl's and you will find your problem.
post them back here if you can't figure it out.
good luck!
Are you sure you are applying it to the correct interface?
If you are sure, then add "log" to the end of those acl's and you will find your problem.
post them back here if you can't figure it out.
good luck!
Updated - 22nd Feb 2008
Replies
I think if forgot the add :permit ip any any
towards the end of my acl....someone also mentioned I might need a allow ACL . I am still new to Cisco and was trying something I read about anti-spoofing techniques.
towards the end of my acl....someone also mentioned I might need a allow ACL . I am still new to Cisco and was trying something I read about anti-spoofing techniques.
jeremydavila@...
22nd Feb 2008
My friend send me this .....But I'm not sure on how to enable the logging. Can you tell me the command.
Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip access-list ext ingress-antispoof
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exitRouter(config)#int s0/0
Router(config-if)#ip access-group ingress-antispoof in
Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip access-list ext ingress-antispoof
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exitRouter(config)#int s0/0
Router(config-if)#ip access-group ingress-antispoof in
jeremydavila@...
22nd Feb 2008
just add log to the end of your access-list statements
"deny ip 10.0.0.0 0.255.255.255 any log"
and so on..
"deny ip 10.0.0.0 0.255.255.255 any log"
and so on..
DanKe
22nd Feb 2008
I'm sorry it took you so long to get the CORRECT answer here, but am glad you were able to get it going again.
As you now know, you had to have the allow all permit any line at the end of the ACL...
ATTENTION OUT THERE!!!
This is also true of the allow list, you must have the deny all at the end of the list or EVERYTHING will get through
As you now know, you had to have the allow all permit any line at the end of the ACL...
ATTENTION OUT THERE!!!
This is also true of the allow list, you must have the deny all at the end of the list or EVERYTHING will get through
larrie_jr@...
22nd Feb 2008
