Question

Locked

Cisco ACL's

By jeremydavila ·
I applied the following ACL to my routers serial interface (inbound), when I did this when could not get onto the web, emails, and etc. our internal lan is 10.1.1.0/24 and our dmz is 192.168.20.0/24 . Am I missing something.

access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

are you kidding?

by CG IT In reply to Cisco ACL's

humm lemme think ...deny any means allow some???

Collapse -

huh?

by DanKe In reply to are you kidding?

deny any means deny any matches.
anything else is allowed, unless there is an explicit "deny all if no matches found" at the end of your ACL.


your logic just threw my brain for a loop.

Collapse -

not true with Cisco

by CG IT In reply to huh?

there is an implicit deny at the end of any ACL so unless specifically allowed, traffic is denied.

this guy put in an ACL deny any for a range of addresses including loopback address and with the implicit deny at the end of the ACL all traffic will be denied access that is within that range.

Collapse -

lesson learned

by DanKe In reply to not true with Cisco

i just slapped together a 2600xm and you were right :)
man.. it's been a couple years.


so you are saying he should put an explicit permit all at the end of the ACL, correct?
so anything that isn't denied (non-private network addresses) is allowed through

Collapse -

no

by CG IT In reply to lesson learned

anything that isn't allowed is denied. That's how Cisco ACLs work. There is an implicit deny statement [hidden] on all Cisco ACL lists so that unless you specify allow, the last rule processed is deny [deny both inbound and outbound]. Note: this is particular to ACLs so if you don't use ACLs then there isn't a deny rule invoked.

Collapse -

but...

by DanKe In reply to no

if you add an explicit "permit foobar any any" to the end of the ACL, then anything that isn't denied, is permitted.
right?

read my reply before this again..

Collapse -

well technically yes

by CG IT In reply to but...

if you put in the wildcard permit any any which permits any and all.

Traffic is compared to the ACL and rules are processed. if there is no rule allowing then the implicit deny takes effect.

Collapse -

a little bit

by DanKe In reply to Cisco ACL's

I'm guessing you are denying private IP's from accessing your LAN/DMZ.

Are you sure you are applying it to the correct interface?

If you are sure, then add "log" to the end of those acl's and you will find your problem.
post them back here if you can't figure it out.

good luck!

Collapse -

more cisco ACL

by jeremydavila In reply to a little bit

I think if forgot the add :permit ip any any
towards the end of my acl....someone also mentioned I might need a allow ACL . I am still new to Cisco and was trying something I read about anti-spoofing techniques.

Collapse -

I think this it......

by jeremydavila In reply to a little bit

My friend send me this .....But I'm not sure on how to enable the logging. Can you tell me the command.

Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip access-list ext ingress-antispoof
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exitRouter(config)#int s0/0
Router(config-if)#ip access-group ingress-antispoof in

Back to Networks Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Hardware Forums