?
Solved

do we need the command "permit tcp any any" in the following configuration ?what is the purpose of this

Posted on 2009-05-06
2
Medium Priority
?
688 Views
Last Modified: 2012-06-22
ip access-list extended acl_bye
 permit icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit tcp host 192.168.1.53 192.168.0.0 0.0.255.255
 permit ip host 192.168.1.51 host 192.168.9.236
 permit ip host 192.168.1.91 host 192.168.9.236
 permit ip host 192.168.1.91 host 192.168.9.254
 permit udp any any
 permit icmp any any
 permit tcp host 192.168.1.80 host 192.168.15.241
 permit tcp any any
 deny   tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   udp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   ip any any log
0
Comment
Question by:alimohammed72
2 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24320613
it permits (or identifies)  TCP traffic from any IP address to any IP address.


0
 
LVL 9

Accepted Solution

by:
Donboo earned 1500 total points
ID: 24321092
Well that depends on what the purpose with the ACL is.

If you use it like this I dont see a point other then using it for tracking hit count. The "permit udp any any" and "permit tcp any any" comes before any denys so there will never be a hit on the 3 deny statements.

If you need the 2 deny statements and you need all else traffic to pass you should reconfigure to something like this:

p access-list extended acl_bye
 deny   tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 deny   udp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 permit icmp any any
 permit udp any any
 permit tcp any any
 deny ip any any log
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question