Cisco ACL – ACL Question: Access-List Permit IP Any Any

aclcisco

so quick question, in the ACL bellow, Would "permit ip any any" allow ICMP packet to traverse the router? Or is "permit ip any any" in the ACL only referring to allowing any layer 3 address from traversing the router and since there is not a specific ACL for ICMP packets it will deny (Implicit Deny).

access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 deny tcp any any eq telnet
access-list 102 deny icmp any any echo-reply
access-list 102 permit ip any any

Best Answer

Referring to IP in an access list refers to all IP based protocols. You have denied echo replies but all other messages as ICMP redirect, time exceeded, fragmentation needed, echo would be allowed through.

Other IP based protocols such as OSPF would also be allowed to pass through with your ACL.

Related Solutions

Cisco ACL- How to block the public from internal access while allowing an internal system to use public web

It sounds like you only want to allow an inside address to establish a TCP connection. If you use NAT from your privately addressed network to the public Internet, it is stateful, and it works the way you seem to want.

If you have public addresses on both sides of your router, you could do something like this (there are multiple ways this could look, depending on exactly what you want to do):

interface GigabitEthernet0/0
 description WAN connection
 ip address 17.35.32.66 255.255.255.224
 ip access-group OUTBOUND_ONLY in

ip access-list extended OUTBOUND_ONLY
 permit tcp any any established

This will allow inside hosts to originate TCP connections to outside hosts, and allow the outside hosts to respond on the established connections, but it will block any other traffic from the outside.

Cisco maintains many documents for things like this (just search). For example, Configure Commonly Used IP ACLs:

Allow Only Internal Networks to Initiate a TCP Session

This figure shows that TCP traffic sourced from NetA destined to NetB is permitted, while TCP traffic from NetB destined to NetA is denied.

The purpose of the ACL in this example is to:

Allow hosts in NetA to initiate and establish a TCP session to hosts in NetB.

Deny hosts in NetB from initiating and establishing a TCP session destined to hosts in NetA.

This configuration allows a datagram to pass through interface Ethernet 0 inbound on R1 when the datagram has:

Acknowledged (ACK) or reset (RST) bits set (indicating an established TCP session)

A destination port value greater than 1023

R1
hostname R1  
!  
interface ethernet0  
 ip access-group 102 in  
!  
access-list 102 permit tcp any any gt 1023 established
Since most of the well-known ports for IP services use values less than 1023, any datagram with a destination port less than 1023 or an ACK/RST bit not set is denied by ACL 102. Therefore, when a host from NetB initiates a TCP connection by sending the first TCP packet (without synchronize/start packet (SYN/RST) bit set) for a port number less than 1023, it is denied and the TCP session fails. The TCP sessions initiated from NetA destined to NetB are permitted because they have ACK/RST bit set for returning packets and use port values greater than 1023.

Router – Access Control List in Firewall and Router

1) Why do we need to specifically deny ip xxxxx xxxxxxx, when at the end of every ACL statement, there is a default "deny any any" statement?

You don't "need to."
Some reasons for doing so are it gives you hit counts when you type "show access-list x," and you can add the logging command (deny ip any any log).

2) What is the difference between ACL in Router and Firewall ASA?

The biggest difference is that routers use wildcard masks, while ASAs use normal masks.

3) Does permit [IP] cover TCP/UDP?

Yes, along with ICMP, ESP, OSPF and others.

Best Answer

Related Solutions

Cisco ACL- How to block the public from internal access while allowing an internal system to use public web

Allow Only Internal Networks to Initiate a TCP Session

Router – Access Control List in Firewall and Router

Related Topic