Security Internetworking Experts: Different Flavours of ACL

my profile | register | search | faq | forum home

»	Security Internetworking Experts » Security » CCIE Security Lab Forum » Different Flavours of ACL

UBBFriend: Email this page to someone!

Author

Topic: Different Flavours of ACL

liban
Specialist

Member # 24092

Rate Member

posted January 07, 2012 06:59 AM

Hi,

I would like to know what is the difference between the below ACL's - ACL1 and ACL2 .Normally I used to configure the 2nd flavor but recently I saw the 1st flavor on INE's WB. Which is more preferred and why .

ip access-list extended ACL1
permit tcp any any eq telnet
permit tcp any eq telnet any

ip access-list extended ACL2
permit tcp any any eq telnet

Posts: 83 | From: india | Registered: Dec 2007 | IP: Logged

Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:

posted January 07, 2012 07:49 PM

First one denies connection to telnet service and from telnet service. Suppose you are asked to deny telnet service on the remote vpn connections terminating on ASA, you this ACL with vpn filter command which will block telnet connections from the client and telnet response from the server.

Another good example is with BGP

If you apply this ACL inbound on an interface of a the and there is a BGP connection across the router, this ACL BGP initiating from inside R1 and outside R2.

R1 BGP -------------- R3 in acl ------------BGP R3

ip access-list extended ACL1
permit tcp any any eq 179
permit tcp any eq 179 any

This ACL will permit only BGP response meaning the outside router R3 can't initiate BGP connection.

ip access-list extended ACL2
permit tcp any any eq telnet

With regards
Kings

With regards
Kings

Posts: 887 | From: India | Registered: Jun 2010 | IP: Logged

All times are Eastern Time

Printer-friendly view of this topic