asked on

Correct access list

We were told that we should apply this to our current access list on the e0 interface of the edge router. I’m thinking we already have this covered with the current ACL. Could someone explain what the difference is between the two?
Access-list 100 permit tcp any any established
Access-list 100 permit udp host [external DNS] any eq domain
Access-list 100 permit udp host [external DNS] any gt 1023
Access-list 100 permit tcp [internal network] [mask] any eq ftp-data
Access-list 100 permit tcp [internal network] [mask] any eq ftp
Access-list 100 permit tcp [internal network] [mask] any eq http
Access-list 100 deny any any

Current ACL
Access-list 100 permit ip [internal network] [mask] any
Access-list 100 deny ip any any log

mattacuk

Well with you current ACL you are allowing ALL IP traffic from you Internal subnetwork to any destination, that includes any upper layer packets such as TCP or UDP etc. The suggested ACL i permitting only DNS, FTP, and Web traffic and nothing else. I am assumeing E0 is in internal Interface for your subnet and not a wan interface? is this ACL applied inbound on E0?

thanks
Matt

mattacuk

So in answer to your question, if you added those lines to the existing ACL after ;

Access-list 100 permit ip [internal network] [mask] any

You would NOT be gaining anything.

Jelonet

ASKER

It is applied to E0 in. What benifit would we gain by adding it before or after? I guess thats what I'm not understanding. Also, the new ACL does have permit tcp any any established. So, if I take off Access-list 100 permit ip [internal network] [mask] any and add the new one would make any difference?

ASKER CERTIFIED SOLUTION

mattacuk

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Jelonet

ASKER

Thank you. That clears it up a bit for me.

mattacuk

Your welcome, I would keep it as it if you are unsure. You might want to read up on ACL's for future use! :-)