Question

  • Creator
    Topic
  • #2243647

    Cisco ACL’s

    Locked

    by jeremydavila ·

    I applied the following ACL to my routers serial interface (inbound), when I did this when could not get onto the web, emails, and etc. our internal lan is 10.1.1.0/24 and our dmz is 192.168.20.0/24 . Am I missing something.

    access-list 111 deny ip 10.0.0.0 0.255.255.255 any
    access-list 111 deny ip 127.0.0.0 0.255.255.255 any
    access-list 111 deny ip 172.16.0.0 0.15.255.255 any
    access-list 111 deny ip 192.168.0.0 0.0.255.255 any

All Answers

  • Author
    Replies
    • #2656985

      Clarifications

      by jeremydavila ·

      In reply to Cisco ACL’s

      Clarifications

    • #2656978

      are you kidding?

      by cg it ·

      In reply to Cisco ACL’s

      humm lemme think …deny any means allow some???

      • #2656966

        huh?

        by danke ·

        In reply to are you kidding?

        deny any means deny any matches.
        anything else is allowed, unless there is an explicit “deny all if no matches found” at the end of your ACL.

        your logic just threw my brain for a loop.

        • #2656949

          not true with Cisco

          by cg it ·

          In reply to huh?

          there is an implicit deny at the end of any ACL so unless specifically allowed, traffic is denied.

          this guy put in an ACL deny any for a range of addresses including loopback address and with the implicit deny at the end of the ACL all traffic will be denied access that is within that range.

        • #2656890

          lesson learned

          by danke ·

          In reply to not true with Cisco

          i just slapped together a 2600xm and you were right 🙂
          man.. it’s been a couple years.

          so you are saying he should put an explicit permit all at the end of the ACL, correct?
          so anything that isn’t denied (non-private network addresses) is allowed through

        • #2656869

          no

          by cg it ·

          In reply to lesson learned

          anything that isn’t allowed is denied. That’s how Cisco ACLs work. There is an implicit deny statement [hidden] on all Cisco ACL lists so that unless you specify allow, the last rule processed is deny [deny both inbound and outbound]. Note: this is particular to ACLs so if you don’t use ACLs then there isn’t a deny rule invoked.

        • #2656854

          but…

          by danke ·

          In reply to no

          if you add an explicit “permit foobar any any” to the end of the ACL, then anything that isn’t denied, is permitted.
          right?

          read my reply before this again..

        • #2656851

          well technically yes

          by cg it ·

          In reply to but…

          if you put in the wildcard permit any any which permits any and all.

          Traffic is compared to the ACL and rules are processed. if there is no rule allowing then the implicit deny takes effect.

    • #2656972

      a little bit

      by danke ·

      In reply to Cisco ACL’s

      I’m guessing you are denying private IP’s from accessing your LAN/DMZ.

      Are you sure you are applying it to the correct interface?

      If you are sure, then add “log” to the end of those acl’s and you will find your problem.
      post them back here if you can’t figure it out.

      good luck!

      • #2656929

        more cisco ACL

        by jeremydavila ·

        In reply to a little bit

        I think if forgot the add :permit ip any any
        towards the end of my acl….someone also mentioned I might need a allow ACL . I am still new to Cisco and was trying something I read about anti-spoofing techniques.

      • #2656887

        I think this it……

        by jeremydavila ·

        In reply to a little bit

        My friend send me this …..But I’m not sure on how to enable the logging. Can you tell me the command.

        Router# conf t
        Enter configuration commands, one per line. End with CNTL/Z.
        Router(config)# ip access-list ext ingress-antispoof
        Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
        Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
        Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
        Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
        Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
        Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
        Router(config-ext-nacl)# permit ip any any
        Router(config-ext-nacl)# exitRouter(config)#int s0/0
        Router(config-if)#ip access-group ingress-antispoof in

        • #2656853

          log

          by danke ·

          In reply to I think this it……

          just add log to the end of your access-list statements

          “deny ip 10.0.0.0 0.255.255.255 any log”
          and so on..

        • #2656793

          Permit or allow…

          by larrie_jr ·

          In reply to I think this it……

          I’m sorry it took you so long to get the CORRECT answer here, but am glad you were able to get it going again.
          As you now know, you had to have the allow all permit any line at the end of the ACL…
          ATTENTION OUT THERE!!!
          This is also true of the allow list, you must have the deny all at the end of the list or EVERYTHING will get through

Viewing 2 reply threads