Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
733
Views
0
Helpful
1
Replies

access-list on internet edge router

Go to solution
keith.craycraft
Level 1
Level 1

‎11-08-2005 02:19 PM - edited ‎03-03-2019 12:43 AM

I seem to have a problem with a router with a denys working with an permit ip any any next to last line in access-list.

access-list 100 deny tcp any eq 445 any

access-list 100 deny tcp any eq 137 any

access-list 100 deny tcp any eq 135 any

access-list 100 deny tcp any eq 1433 any

access-list 100 deny tcp any eq 139 any

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 224.0.0.0 15.255.255.255 any

access-list 100 permit ip any any

access-list 100 deny icmp any any echo-reply

this is applied with access-group 100 in under the serial interface.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎11-08-2005 02:30 PM

Hello,

the access list stops checking when a match is found, which in your case is the 'permit ip any any' line. In order to deny icmp echo replies, configure the list as following:

access-list 100 deny tcp any eq 445 any

access-list 100 deny tcp any eq 137 any

access-list 100 deny tcp any eq 135 any

access-list 100 deny tcp any eq 1433 any

access-list 100 deny tcp any eq 139 any

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 224.0.0.0 15.255.255.255 any

access-list 100 deny icmp any any echo-reply

access-list 100 permit ip any any

HTH,

GP

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Georg Pauwen
VIP
VIP

‎11-08-2005 02:30 PM

Hello,

the access list stops checking when a match is found, which in your case is the 'permit ip any any' line. In order to deny icmp echo replies, configure the list as following:

access-list 100 deny tcp any eq 445 any

access-list 100 deny tcp any eq 137 any

access-list 100 deny tcp any eq 135 any

access-list 100 deny tcp any eq 1433 any

access-list 100 deny tcp any eq 139 any

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 224.0.0.0 15.255.255.255 any

access-list 100 deny icmp any any echo-reply

access-list 100 permit ip any any

HTH,

GP

0 Helpful
Customers Also Viewed These Support Documents