Questions

Access-lists ?

+
0 Votes
Locked

Access-lists ?

it_amaan
Hi,

This is my first post..
I need some details regarding access-lists in particular with protocol parameter.
In some cases, for denying a host it is used as ip while in other it is as tcp/udp.
what must be actually used for denying a host and a network?

Also, see the below lists;

access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log

Pls explain about the port nos used here.
  • +
    0 Votes
    Fregeus

    I'm sorry, but I don't understand the question. Can you rephrase?


    TCB

    +
    0 Votes
    CG IT

    which will deny any hosts

    if you want to allow specific traffic or deny specific traffic, then you use different parameters to allow or deny such as TCP or UDP and types of TCP or UDP traffic.

    in your access list statement, because you use the eq [equals] traffic that equals your parameter netbios-ns log means that only UDP traffic on port 137 will be denied.

    your other deny statement is for Netbios datagrams over port 138.

    BUT!! there is an inherent deny statement at the end of access lists. That means that unless allowed, all traffic is denied. So if you invoke an access list, there is a deny statement at the end even if you don't manually put it in there. So invoking an access-list, you have to create allowed statements or the inherent deny statement comes into play.

    This is the opposite behavior seen in consumer level routers where the inherent access list statement is allow unless denied.

    +
    0 Votes
    Mohammad Oweis

    Very clear explanation, but one more addition:
    You can use IP instead of TCP or UDP to allow or deny all ports, like:
    access-list 101 permit ip any any
    You can put the ACL at the end to allow all other IP traffic.

  • +
    0 Votes
    Fregeus

    I'm sorry, but I don't understand the question. Can you rephrase?


    TCB

    +
    0 Votes
    CG IT

    which will deny any hosts

    if you want to allow specific traffic or deny specific traffic, then you use different parameters to allow or deny such as TCP or UDP and types of TCP or UDP traffic.

    in your access list statement, because you use the eq [equals] traffic that equals your parameter netbios-ns log means that only UDP traffic on port 137 will be denied.

    your other deny statement is for Netbios datagrams over port 138.

    BUT!! there is an inherent deny statement at the end of access lists. That means that unless allowed, all traffic is denied. So if you invoke an access list, there is a deny statement at the end even if you don't manually put it in there. So invoking an access-list, you have to create allowed statements or the inherent deny statement comes into play.

    This is the opposite behavior seen in consumer level routers where the inherent access list statement is allow unless denied.

    +
    0 Votes
    Mohammad Oweis

    Very clear explanation, but one more addition:
    You can use IP instead of TCP or UDP to allow or deny all ports, like:
    access-list 101 permit ip any any
    You can put the ACL at the end to allow all other IP traffic.