Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 681
  • Last Modified:

do we need the command "permit tcp any any" in the following configuration ?what is the purpose of this

ip access-list extended acl_bye
 permit icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit tcp host 192.168.1.53 192.168.0.0 0.0.255.255
 permit ip host 192.168.1.51 host 192.168.9.236
 permit ip host 192.168.1.91 host 192.168.9.236
 permit ip host 192.168.1.91 host 192.168.9.254
 permit udp any any
 permit icmp any any
 permit tcp host 192.168.1.80 host 192.168.15.241
 permit tcp any any
 deny   tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   udp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   ip any any log
0
alimohammed72
Asked:
alimohammed72
1 Solution
 
Don JohnstonCommented:
it permits (or identifies)  TCP traffic from any IP address to any IP address.


0
 
DonbooCommented:
Well that depends on what the purpose with the ACL is.

If you use it like this I dont see a point other then using it for tracking hit count. The "permit udp any any" and "permit tcp any any" comes before any denys so there will never be a hit on the 3 deny statements.

If you need the 2 deny statements and you need all else traffic to pass you should reconfigure to something like this:

p access-list extended acl_bye
 deny   tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   udp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 permit icmp any any
 permit udp any any
 permit tcp any any
 deny ip any any log
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now