?
Solved

Correct access list

Posted on 2006-04-05
6
Medium Priority
?
444 Views
Last Modified: 2013-11-29
We were told that we should apply this to our current access list on the e0 interface of the edge router.  I’m thinking we already have this covered with the current ACL.  Could someone explain what the difference is between the two?
Access-list 100 permit tcp any any established
Access-list 100 permit udp host [external DNS] any eq domain
Access-list 100 permit udp host [external DNS] any gt 1023
Access-list 100 permit tcp [internal network] [mask] any eq ftp-data
Access-list 100 permit tcp [internal network] [mask] any eq ftp
Access-list 100 permit tcp [internal network] [mask] any eq http
Access-list 100 deny any any

Current ACL
Access-list 100 permit ip [internal network] [mask] any
Access-list 100 deny ip any any log
0
Comment
Question by:Jelonet
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:mattacuk
ID: 16383584
Well with you current ACL you are allowing ALL IP traffic from you Internal subnetwork to any destination, that includes any upper layer packets such as TCP or UDP etc. The suggested ACL i permitting only DNS, FTP, and Web traffic and nothing else. I am assumeing E0 is in internal Interface for your subnet and not a wan interface? is this  ACL applied inbound on E0?

thanks
Matt
0
 
LVL 2

Expert Comment

by:mattacuk
ID: 16383835
So in answer to your question, if you added those lines to the existing ACL after ;

Access-list 100 permit ip [internal network] [mask] any

You would NOT be gaining anything.

0
 

Author Comment

by:Jelonet
ID: 16384724
It is applied to E0 in.  What benifit would we gain by adding it before or after?  I guess thats what I'm not understanding. Also, the new ACL does have permit tcp any any established.  So, if I take off Access-list 100 permit ip [internal network] [mask] any and add the new one would make any difference?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Accepted Solution

by:
mattacuk earned 1000 total points
ID: 16385021
IP packets are matched against the ACL by the Router IOS until a match is found from the top downwards. If you were to send any kind of traffic, be that WWW (web), SMTP, anything at all this line would permit it;

Access-list 100 permit ip [internal network] [mask] any - this line on its own is allowing everything to flow

And so if you were to add the new lines to that existing line they would be useless because the match is always made on the top  line;

> >Access-list 100 permit ip [internal network] [mask] any
Access-list 100 permit tcp any any established
Access-list 100 permit udp host [external DNS] any eq domain
Access-list 100 permit udp host [external DNS] any gt 1023
Access-list 100 permit tcp [internal network] [mask] any eq ftp-data
Access-list 100 permit tcp [internal network] [mask] any eq ftp
Access-list 100 permit tcp [internal network] [mask] any eq http
Access-list 100 deny any any

If  you were  to completely remove you existing ACL and use the suggested one;

Access-list 100 permit tcp any any established
Access-list 100 permit udp host [external DNS] any eq domain
Access-list 100 permit udp host [external DNS] any gt 1023
Access-list 100 permit tcp [internal network] [mask] any eq ftp-data
Access-list 100 permit tcp [internal network] [mask] any eq ftp
Access-list 100 permit tcp [internal network] [mask] any eq http
Access-list 100 deny any any

You are RESTRICTING yourself to ONLY the types of traffic specified in the ACL on a granular basis.  And so by using the new one you are tightening up security and specifying only what you need to flow in and out of your network. It is acting as a firewall of sorts. If you decided to remove the existing ACL and use the new one, ensure this includes all the traffic you need to flow in and out. I assume the  person who made this recommendation knows exactly what you need to be permitted ?
In answer to your question – the new one would make a difference because it is more secure. But I again stress you need to make sure you need more than www, DNS and ftp traffic to flow inbound on E0
0
 

Author Comment

by:Jelonet
ID: 16385879
Thank you.  That clears it up a bit for me.
0
 
LVL 2

Expert Comment

by:mattacuk
ID: 16386101
Your welcome, I would keep it as it if you are unsure. You might want to read up on ACL's for future use! :-)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question