Home page logo

nanog logo nanog mailing list archives

Re: Stupid Cisco ACL question
From: Dorn Hetzel <dorn () hetzel org>
Date: Thu, 21 Apr 2011 15:17:31 -0400

On Thu, Apr 21, 2011 at 3:13 PM, <up () 3 am> wrote:

Ok, I've done a lot of Cisco standard and extended ACLs, but I do not
understand why the following does not work the way I think it should.
Near the end of this extended named ACL, I have the following:

 permit tcp any eq 443 any

Don't you want:

permit tcp any any eq 443

Since you want the incoming traffic to have 443 as the destination port, not
the source?

 permit tcp any eq 80 any
 deny ip any host
 permit ip any any

This is applied to an inbound interface(s).  We want anybody outside to be
able to reach ports 80 and 443 of any host on our network, no matter what,
then block ALL other access to select hosts, such as, even ICMP.
However, as soon as I apply this rule to the interface, ports 80 and 443
of that host become unreachable.  A telnet to 443 gets "Connection
refused" until I tear out the deny ACL above.  I even tried adding udp for
both ports, to no avail.

I had always thought that these ACLs were processed in order, so that the
explicit permit statement, though limited to a specific protocol but for
all hosts, gets considered before the explicit deny statement for all IP
to a particular host.  What did I forget to consider?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]