Questions

Cisco ACL's

+
0 Votes
Locked

Cisco ACL's

jeremydavila
I applied the following ACL to my routers serial interface (inbound), when I did this when could not get onto the web, emails, and etc. our internal lan is 10.1.1.0/24 and our dmz is 192.168.20.0/24 . Am I missing something.

access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
+
0 Votes
CG IT

humm lemme think ...deny any means allow some???

+
0 Votes
DanKe

deny any means deny any matches.
anything else is allowed, unless there is an explicit "deny all if no matches found" at the end of your ACL.


your logic just threw my brain for a loop.

+
0 Votes
CG IT

there is an implicit deny at the end of any ACL so unless specifically allowed, traffic is denied.

this guy put in an ACL deny any for a range of addresses including loopback address and with the implicit deny at the end of the ACL all traffic will be denied access that is within that range.

+
0 Votes
DanKe

i just slapped together a 2600xm and you were right :)
man.. it's been a couple years.


so you are saying he should put an explicit permit all at the end of the ACL, correct?
so anything that isn't denied (non-private network addresses) is allowed through

+
0 Votes

no

CG IT

anything that isn't allowed is denied. That's how Cisco ACLs work. There is an implicit deny statement [hidden] on all Cisco ACL lists so that unless you specify allow, the last rule processed is deny [deny both inbound and outbound]. Note: this is particular to ACLs so if you don't use ACLs then there isn't a deny rule invoked.

+
0 Votes
DanKe

if you add an explicit "permit foobar any any" to the end of the ACL, then anything that isn't denied, is permitted.
right?

read my reply before this again..

+
0 Votes
CG IT

if you put in the wildcard permit any any which permits any and all.

Traffic is compared to the ACL and rules are processed. if there is no rule allowing then the implicit deny takes effect.

+
0 Votes
DanKe

I'm guessing you are denying private IP's from accessing your LAN/DMZ.

Are you sure you are applying it to the correct interface?

If you are sure, then add "log" to the end of those acl's and you will find your problem.
post them back here if you can't figure it out.

good luck!

+
0 Votes
jeremydavila

I think if forgot the add :permit ip any any
towards the end of my acl....someone also mentioned I might need a allow ACL . I am still new to Cisco and was trying something I read about anti-spoofing techniques.

+
0 Votes
jeremydavila

My friend send me this .....But I'm not sure on how to enable the logging. Can you tell me the command.

Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip access-list ext ingress-antispoof
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exitRouter(config)#int s0/0
Router(config-if)#ip access-group ingress-antispoof in

+
0 Votes

log

DanKe

just add log to the end of your access-list statements

"deny ip 10.0.0.0 0.255.255.255 any log"
and so on..

+
0 Votes
larrie_jr

I'm sorry it took you so long to get the CORRECT answer here, but am glad you were able to get it going again.
As you now know, you had to have the allow all permit any line at the end of the ACL...
ATTENTION OUT THERE!!!
This is also true of the allow list, you must have the deny all at the end of the list or EVERYTHING will get through