Correct access list

We were told that we should apply this to our current access list on the e0 interface of the edge router.  I’m thinking we already have this covered with the current ACL.  Could someone explain what the difference is between the two?
Access-list 100 permit tcp any any established
Access-list 100 permit udp host [external DNS] any eq domain
Access-list 100 permit udp host [external DNS] any gt 1023
Access-list 100 permit tcp [internal network] [mask] any eq ftp-data
Access-list 100 permit tcp [internal network] [mask] any eq ftp
Access-list 100 permit tcp [internal network] [mask] any eq http
Access-list 100 deny any any

Current ACL
Access-list 100 permit ip [internal network] [mask] any
Access-list 100 deny ip any any log
JelonetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mattacukCommented:
Well with you current ACL you are allowing ALL IP traffic from you Internal subnetwork to any destination, that includes any upper layer packets such as TCP or UDP etc. The suggested ACL i permitting only DNS, FTP, and Web traffic and nothing else. I am assumeing E0 is in internal Interface for your subnet and not a wan interface? is this  ACL applied inbound on E0?

thanks
Matt
0
mattacukCommented:
So in answer to your question, if you added those lines to the existing ACL after ;

Access-list 100 permit ip [internal network] [mask] any

You would NOT be gaining anything.

0
JelonetAuthor Commented:
It is applied to E0 in.  What benifit would we gain by adding it before or after?  I guess thats what I'm not understanding. Also, the new ACL does have permit tcp any any established.  So, if I take off Access-list 100 permit ip [internal network] [mask] any and add the new one would make any difference?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

mattacukCommented:
IP packets are matched against the ACL by the Router IOS until a match is found from the top downwards. If you were to send any kind of traffic, be that WWW (web), SMTP, anything at all this line would permit it;

Access-list 100 permit ip [internal network] [mask] any - this line on its own is allowing everything to flow

And so if you were to add the new lines to that existing line they would be useless because the match is always made on the top  line;

> >Access-list 100 permit ip [internal network] [mask] any
Access-list 100 permit tcp any any established
Access-list 100 permit udp host [external DNS] any eq domain
Access-list 100 permit udp host [external DNS] any gt 1023
Access-list 100 permit tcp [internal network] [mask] any eq ftp-data
Access-list 100 permit tcp [internal network] [mask] any eq ftp
Access-list 100 permit tcp [internal network] [mask] any eq http
Access-list 100 deny any any

If  you were  to completely remove you existing ACL and use the suggested one;

Access-list 100 permit tcp any any established
Access-list 100 permit udp host [external DNS] any eq domain
Access-list 100 permit udp host [external DNS] any gt 1023
Access-list 100 permit tcp [internal network] [mask] any eq ftp-data
Access-list 100 permit tcp [internal network] [mask] any eq ftp
Access-list 100 permit tcp [internal network] [mask] any eq http
Access-list 100 deny any any

You are RESTRICTING yourself to ONLY the types of traffic specified in the ACL on a granular basis.  And so by using the new one you are tightening up security and specifying only what you need to flow in and out of your network. It is acting as a firewall of sorts. If you decided to remove the existing ACL and use the new one, ensure this includes all the traffic you need to flow in and out. I assume the  person who made this recommendation knows exactly what you need to be permitted ?
In answer to your question – the new one would make a difference because it is more secure. But I again stress you need to make sure you need more than www, DNS and ftp traffic to flow inbound on E0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JelonetAuthor Commented:
Thank you.  That clears it up a bit for me.
0
mattacukCommented:
Your welcome, I would keep it as it if you are unsure. You might want to read up on ACL's for future use! :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.