benje02
asked on
Cisco ACL's example to deny incoming SYN packets from outside network (Internet)
Below is an access list from a security book I am reading,
access-list 110 deny tcp any any established
access-list 110 permit tcp any any
interface s0
access-group 110 in (this is the Internet interface)
If I want to deny incoming tcp traffic other than for established sessions should the access be as follows?
access-list 110 permit tcp any any established
interface s0
access-group 110 in
It seems to me the first access list will deny the returning packets and since a ACL will deny by default, why do I need the 'deny' at all in the first list?
Thanks,
Jerri
access-list 110 deny tcp any any established
access-list 110 permit tcp any any
interface s0
access-group 110 in (this is the Internet interface)
If I want to deny incoming tcp traffic other than for established sessions should the access be as follows?
access-list 110 permit tcp any any established
interface s0
access-group 110 in
It seems to me the first access list will deny the returning packets and since a ACL will deny by default, why do I need the 'deny' at all in the first list?
Thanks,
Jerri
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER