- Posts: 1
- Thank you received: 0
ACL's on Cisco routers (2600's) ...
20 years 3 months ago #4495
by Spitifre
ACL's on Cisco routers (2600's) ... was created by Spitifre
I am having a little trouble with the access control lists on Cisco 2600 series routers.
I have a basic understanding of them and how they operate, but when it comes to setting up an extended ACL I seem to have trouble with the keywords HOST and ANY.
Not sure when to use them and sometimes the ANY keyword is used twice in succession.
eg. access-list 110 deny tcp 192.168.12.0 0.255.255.255 192.168.13.0 0.255.255.255
access-list 110 permit ip any any
also tcp was used in the deny ACL and ip used in the permit ACL
A little confusing.
.
In some cases only a single ANY is used.
I would appreciate some assistance here, thank you.
(The above ACL is an actual ACL)
I have a basic understanding of them and how they operate, but when it comes to setting up an extended ACL I seem to have trouble with the keywords HOST and ANY.
Not sure when to use them and sometimes the ANY keyword is used twice in succession.
eg. access-list 110 deny tcp 192.168.12.0 0.255.255.255 192.168.13.0 0.255.255.255
access-list 110 permit ip any any
also tcp was used in the deny ACL and ip used in the permit ACL
A little confusing.
.
In some cases only a single ANY is used.
I would appreciate some assistance here, thank you.
(The above ACL is an actual ACL)
20 years 3 months ago #4517
by Neon
Replied by Neon on topic Re: ACL's on Cisco routers (2600's) ...
I’ll answer your simple question first. The reason why there are two any any is because on an Extended ACL you need both a source and a destination. However if you were using a Simple ACL you would only need to specify one ANY since Simple ACLs only require a source address.
I can also see a problem in your ACL
[code:1]access-list 110 deny tcp 192.168.12.0 0.255.255.255 192.168.13.0 0.255.255.255 <-- Look at the wildcards[/code:1]
What that line is doing is stopping all TCP traffic from network 192.0.0.0 reaching any other 192.0.0.0 network. To make it work the way I think you intended it to be you would need to have your wildcards set to 0.0.0.255. This makes sure that the first 3 octets of the addressed are checked. *Remember that a 0 in a wildcard means check the bit and a 1 means don’t check the bit.
To sum up your ACL would look like this:
[code:1]access-list 110 deny tcp 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 110 permit ip any any
[/code:1]
Don't forget to apply the ACL to an interface
I can also see a problem in your ACL
[code:1]access-list 110 deny tcp 192.168.12.0 0.255.255.255 192.168.13.0 0.255.255.255 <-- Look at the wildcards[/code:1]
What that line is doing is stopping all TCP traffic from network 192.0.0.0 reaching any other 192.0.0.0 network. To make it work the way I think you intended it to be you would need to have your wildcards set to 0.0.0.255. This makes sure that the first 3 octets of the addressed are checked. *Remember that a 0 in a wildcard means check the bit and a 1 means don’t check the bit.
To sum up your ACL would look like this:
[code:1]access-list 110 deny tcp 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 110 permit ip any any
[/code:1]
Don't forget to apply the ACL to an interface
Time to create page: 0.115 seconds