1. Home
  2. Cisco Certification
  3. quick ACL question

quick ACL question

i had a written test on this, it wasnt for CCNA but was in a revision exam for the CCNA

anyway

i was told to block all IP traffic to the internet from a network and explain how this could be done, i typed the following ACL's, I have just listed the deny parts of the list i wrote.

access-list 100 deny ip 192.168.0.1 any any eq 80

would that work?

I also wrote this one as another example

access-list 100 deny ip 192.168.0.1 0.0.0.0 eq 80 //denying the default route?

and finally this one

access-list 100 deny ip 192.168.0.1 172.16.0.1 eq 80 //deny access from

192.168.0.1 to 172.16.0.1 on port 80

I forgot subnet masks/wildcard masks, does this matter or will the router automatically assign default where the subnet/wildcard is not assigned, I was just curious

TIA

Reply to
Christo
Loading thread data ...

Chris,

The router will needs wildcard masks to know which part of the address to check. It will just say "incomplete command".

Another thing, you have start your list like access-list 100 deny tcp ... Only tcp and udp protocols use port #s in their communications, so you have to specify tcp or udp if you want the access list to check the port number (telnet, http, tftp,etc). ip (layer 3) doesn't use port numbers, just source/destination addresses. tcp/udp is layer 4...it's seperate from ip which is layer 3 and it keeps track of communications with source/destination PORTS. alrighty then.

I'll give what i think your third list should look like access-list 100 deny tcp 192.168.0.1 0.0.0.0 172.16.0.1 0.0.0.0 eq 80

Reply to
hessaacd

The implicit deny all at the end will result in an acl that blocks everything. Better to permit the allowed nets first by ip

Reply to
jw

thanks, that was my fear, i suppose maybe i will get some marks from the question... i had to explain the difference between extended ACL and standard ACL, and where to place them, I know i got this correct, but really wasn't sure about the lists i wrote, oh well

Reply to
Christo

how about this?

access-list 100 deny tcp 192.168.0.1 0.0.0.0 any any eq 80

deny access from 192.168.0.1 0.0.0.0 to any network with any wildcard on port 80

if i just didnt put in an wildcard would it not assume it was a host or would that be

access-list 100 deny tcp host 192.168.0.1 any any eq 80?

I bet even the pro's have to do it notepad due to small mistakes like these hehe

TIA

Christo

Reply to
Christo

I don't have a router to check these on, but I did in the past. So I can't be sure of this stuff. The more I think, the more I realize I have to get a router NOW.

You have an extra "any" in those access lists. When you say "any" it means any destination. Therefore you don't have to say "any network" and "any wildcard". One "any" refers to both the network number and the wildcard mask. When you think about it, it only makes sense. To prove it, I'll try to disprove it. i won't write it out, but "any any" in your example does, in theory, make sense. It just means "any thing, i don't care about network or wildcard". But "any 0.0.0.255" means "I don't care about network, but only check the first 3 bytes". That really makes no sense. That's what I love about cisco commands, they make some sense. Only one "any" covers both network and wildcard. Take for example, the command access-list 100 permit any any

any source, any destination. people put it at the end of their ACLs to counteract the implicit "deny any any".

Easy fix. Other than that, I think the syntax is correct. Of course I might be wrong, which would be funny. again, no router.

Alan

Reply to
hessaacd

"access-list 100 deny tcp 192.168.0.1 0.0.0.0 any any eq 80" is incorrect. "any" means any address or "0.0.0.0 255.255.255.255", that is whatever address with a all ones mask. "any wildcard" doesn't make sense.What wildcard would apply the router?

So to deny traffic from 192.168.0.1 to any destination for port 80 is coded:

access-list 100 deny tcp 192.168.0.1 0.0.0.0 any eq 80 or access-list 100 deny tcp host 192.168.0.1 any eq 80

Please refer to

formatting link
Bernard.

| how about this? | | access-list 100 deny tcp 192.168.0.1 0.0.0.0 any any eq 80 | | deny access from 192.168.0.1 0.0.0.0 to any network with any wildcard on | port 80 | | if i just didnt put in an wildcard would it not assume it was a host or | would that be | | access-list 100 deny tcp host 192.168.0.1 any any eq 80? | | I bet even the pro's have to do it notepad due to small mistakes like these | hehe | | TIA | | Christo | |

Reply to
Bernard Herickx

How about

access-list 1 deny x.x.x.x y.y.y.y access-list 1 permit any

where x.x.x.x is network address to be blocked and y.y.y.y is subnet mask of that network apply this ACL to the O/G interface to the internet.

my reasoning for the above is that the question asks for Internet traffic from the network to be blocked. As Internet traffic is not just HTTP it can't be assumed so we would have to block all IP traffic. Without a network diagram the only place to apply this is the o/g interface to the Internet and as such only a standard ACL is needed to block the source network range. Also remember the implicit deny on all ACL and include a permit statement also.

regards

Toby

Reply to
toby

Also, just a side note, the question was vague on the type of traffic. HTTPS, SMTP, FTP, etc all ride the internet. (not just HTTP)

use a standard access list and place it on the connection to the internet (going out...ip access-group XX out)

Christo wrote:

Reply to
L00pBak

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.