ACL problem - allow subnet - block all else

In article , Jake wrote: :Having trouble with my access list - this should be simple but my brain is :fried and cant get it to work so I need to start from scratch.

:I need to block all traffic to a certain host inside my network (ex: :5.6.7.254) except for 1 outside subnet (ex: 1.2.3.0) that should have :access.

:This isn't doing the trick:

:access-list 102 permit udp 1.2.3.0 0.0.0.255 host 5.6.7.254 eq syslog

If you are using NAT, then the 5.6.7.254 should be replaced by the outside (public) form of the IP. This ACL should be applied "in" the outside interface.

:access-list 102 permit tcp 1.2.3.0 0.0.0.255 host 5.6.7.254 eq syslog

Using the tcp form of syslog is fairly uncommon -- there's a lot of overhead to building those tcp connections. I would suggest not enabling the tcp form unless you are sure you need it.

:access-list 102 deny udp 0.0.0.0 255.255.255.255 host 5.6.7.254 eq syslog :access-list 102 deny tcp 0.0.0.0 255.255.255.255 host 5.6.7.254 eq syslog

You said "block all traffic", not just to block syslog, so what you want is

access-list 102 deny ip any host 5.6.7.254

:access-list 102 permit udp any any :access-list 102 permit ip any any

ip includes udp, so you don't need that second-last line.

Walter, Given your suggestions, my acl should be as simple as:

access-list 102 permit ip 1.2.3.0 0.0.0.255 host 5.6.7.254 access-list 102 deny ip any host 5.6.7.254 access-list 102 permit ip any any

Is this correct?

Thanks!

In article , Jake wrote: :Given your suggestions, my acl should be as simple as:

:access-list 102 permit ip 1.2.3.0 0.0.0.255 host 5.6.7.254 :access-list 102 deny ip any host 5.6.7.254 :access-list 102 permit ip any any

:Is this correct?

Yes, provided that 5.6.7.254 is the public version of the IP; and provided that you don't mind that all traffic is allowed to

That did it - Thanks Walter!