Solved

do we need the command "permit tcp any any" in the following configuration ?what is the purpose of this

Posted on 2009-05-06
2
653 Views
Last Modified: 2012-06-22
ip access-list extended acl_bye
 permit icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit tcp host 192.168.1.53 192.168.0.0 0.0.255.255
 permit ip host 192.168.1.51 host 192.168.9.236
 permit ip host 192.168.1.91 host 192.168.9.236
 permit ip host 192.168.1.91 host 192.168.9.254
 permit udp any any
 permit icmp any any
 permit tcp host 192.168.1.80 host 192.168.15.241
 permit tcp any any
 deny   tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   udp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   ip any any log
0
Comment
Question by:alimohammed72
2 Comments
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
it permits (or identifies)  TCP traffic from any IP address to any IP address.


0
 
LVL 9

Accepted Solution

by:
Donboo earned 500 total points
Comment Utility
Well that depends on what the purpose with the ACL is.

If you use it like this I dont see a point other then using it for tracking hit count. The "permit udp any any" and "permit tcp any any" comes before any denys so there will never be a hit on the 3 deny statements.

If you need the 2 deny statements and you need all else traffic to pass you should reconfigure to something like this:

p access-list extended acl_bye
 deny   tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   udp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 permit icmp any any
 permit udp any any
 permit tcp any any
 deny ip any any log
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now