IP encompasses all of TCP and UDP. When IP is the protocol specified in the access-list command, there are no port numbers specified. Examples:
permit ip any host 10.1.1.1
This permits any network traffic to 10.1.1.1 on any TCP or UDP port.
permit ip host 10.1.1.1 any
This permits any network traffic from 10.1.1.1 on any TCP or UDP port.
permit tcp any host 10.1.1.1 eq 53
This permits any network traffic to 10.1.1.1 TCP port 53, but not on any other destination port on that host
permit udp any host 10.1.1.1 eq 53
This permits any network traffic to 10.1.1.1 UDP port 53, but not on any other destination port on that host
deny tcp any host 10.1.1.1 eq 53 deny udp any host 10.1.1.1 eq 53 permit ip any host 10.1.1.1 deny ip any any*
This permits any network traffic to 10.1.1.1 except on TCP port 53 or UDP port 53 but it does not permit network traffic to any other hosts.
- As many of us have read, all access-lists end with an implicit deny so this line does not change the access-list functionality. This last line is used to visually see in a "show access-list" command how many matches there have been to this access-list line.
Challenge: What access-list would allow the following with minimal lines? Inside network users in 192.168.0.0/24 and 192.168.1.0/24 want to be able to web browse out to the Internet (access-list is from the private network outbound to the Internet) for HTTP and HTTPS only. DNS is permitted outbound for both TCP and UDP to the ISP subnet at 10.20.0.0/16 from your inside DNS server at 192.168.1.4.
=========== Scott Perry =========== Indianapolis, Indiana ________________________________________