quick ACL question

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


i had a written test on this, it wasnt for CCNA but was in a revision exam
for the CCNA

anyway

i was told to block all IP traffic to the internet from a network and
explain how this could be done, i typed the following ACL's, I have just
listed the deny parts of the list i wrote.

access-list 100 deny ip 192.168.0.1 any any eq 80

would that work?

I also wrote this one as another example

access-list 100 deny ip 192.168.0.1 0.0.0.0 eq 80 //denying the default
route?

and finally this one

access-list 100 deny ip 192.168.0.1 172.16.0.1 eq 80 //deny access from
192.168.0.1 to 172.16.0.1 on port 80

I forgot subnet masks/wildcard masks, does this matter or will the router
automatically assign default where the subnet/wildcard is not assigned, I
was just curious

TIA
--

--------------------------------------------------------------------
Chris White




Re: quick ACL question


Chris,

The router will needs wildcard masks to know which part of the address
to check.  It will just say "incomplete command".

Another thing, you have start your list like
access-list 100 deny tcp ...
Only tcp and udp protocols use port #s in their communications, so you
have to specify tcp or udp if you want the access list to check the
port number (telnet, http, tftp,etc).  ip (layer 3) doesn't use port
numbers, just source/destination addresses.  tcp/udp is layer 4...it's
seperate from ip which is layer 3 and it keeps track of communications
with source/destination PORTS.   alrighty then.

I'll give what i think your third list should look like
access-list 100 deny tcp 192.168.0.1 0.0.0.0 172.16.0.1 0.0.0.0 eq 80



Re: quick ACL question


Quoted text here. Click to load it

thanks, that was my fear, i suppose maybe i will get some marks from the
question... i had to explain the difference between extended ACL and
standard ACL, and where to place them, I know i got this correct, but really
wasn't sure about the lists i wrote, oh well




Re: quick ACL question


Quoted text here. Click to load it

how about this?

access-list 100 deny tcp 192.168.0.1 0.0.0.0 any any eq 80

deny access from 192.168.0.1 0.0.0.0 to any network with any wildcard on
port 80

if i just didnt put in an wildcard would it not assume it was a host or
would that be

access-list 100 deny tcp host 192.168.0.1 any any eq 80?

I bet even the pro's have to do it notepad due to small mistakes like these
hehe

TIA

Christo




Re: quick ACL question


I don't have a router to check these on, but I did in the past.  So I
can't be sure of this stuff.  The more I think, the more I realize I
have to get a router NOW.

You have an extra "any" in those access lists.  When you say "any" it
means any destination.  Therefore you don't have to say "any network"
and "any wildcard".  One "any" refers to both the network number and
the wildcard mask.
When you think about it, it only makes sense.  To prove it, I'll try to
disprove it.   i won't write it out, but "any any" in your example
does, in theory, make sense.  It just means "any thing, i don't care
about network or wildcard".  But "any 0.0.0.255" means "I don't care
about network, but only check the first 3 bytes".  That really makes no
sense.  That's what I love about cisco commands, they make some sense.
Only one "any" covers both network and wildcard.
Take for example, the command
access-list 100 permit any any

any source, any destination.  people put it at the end of their ACLs to
counteract the implicit "deny any any".

Easy fix.  Other than that, I think the syntax is correct.
Of course I might be wrong, which would be funny.  again, no router.

Alan



Re: quick ACL question


"access-list 100 deny tcp 192.168.0.1 0.0.0.0 any any eq 80"
is incorrect.
"any" means any address or "0.0.0.0 255.255.255.255", that is whatever
address with a all ones mask.
"any wildcard" doesn't make sense.What wildcard would apply the router?

So to deny traffic from 192.168.0.1 to any destination for port 80 is coded:

access-list 100 deny tcp 192.168.0.1 0.0.0.0 any eq 80
or
access-list 100 deny tcp host 192.168.0.1 any eq 80

Please refer to
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Bernard.

| how about this?
|
| access-list 100 deny tcp 192.168.0.1 0.0.0.0 any any eq 80
|
| deny access from 192.168.0.1 0.0.0.0 to any network with any wildcard on
| port 80
|
| if i just didnt put in an wildcard would it not assume it was a host or
| would that be
|
| access-list 100 deny tcp host 192.168.0.1 any any eq 80?
|
| I bet even the pro's have to do it notepad due to small mistakes like
these
| hehe
|
| TIA
|
| Christo
|
|




Re: quick ACL question


How about

access-list 1 deny x.x.x.x y.y.y.y
access-list 1 permit any

where x.x.x.x is network address to be blocked and y.y.y.y is subnet mask of
that network
apply this ACL to the O/G interface to the internet.

my reasoning for the above is that the question asks for Internet traffic
from the network to be blocked. As Internet traffic is not just HTTP it
can't be assumed so we would have to block all IP traffic. Without a network
diagram the only place to apply this is the o/g interface to the Internet
and as such only a standard ACL is needed to block the source network range.
Also remember the implicit deny on all ACL and include a permit statement
also.

regards

Toby

Quoted text here. Click to load it




Re: quick ACL question


The implicit deny all at the end will result in an acl that blocks
everything.
Better to permit the allowed nets first by ip

Quoted text here. Click to load it




Re: quick ACL question


Also, just a side note, the question was vague on the type of traffic.
HTTPS, SMTP, FTP, etc all ride the internet.  (not just HTTP)

use a standard access list and place it on the connection to the
internet (going out...ip access-group XX out)





Christo wrote:
Quoted text here. Click to load it



Site Timeline