um...If you want any inbound traffic to be blocked at all, the permit
needs to be last, otherwise the permit takes precedence.
According to Cisco,
"The order of access list statements is important! When the router is
deciding whether to forward or block a packet, the IOS software tests
the packet against each of the criteria statement in the order the
statements are created." -Cisco IOS Security, pg 248.
[Engasser, Charlie]
> -----Original Message-----
> From: Gushterul [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, November 17, 1999 1:30 PM
> To: Engasser, Charlie
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: Cisco ACLs
>
> the permit is the first, and the deny line the second...
>
> Gushterul
>
> On Tue, 16 Nov 1999, Engasser, Charlie wrote:
>
> > I have a combo question.
> >
> > I am running Firewall-1 3.0b 3048, and my router is a Cisco 2611
> > running 12.0.6t.
> >
> > We are getting alot of chatter traffic on high ports above 30k
> > coming inbound that appear to be associated with web browsing. The
> > firewall blocks this traffic, and everything works fine. However if
> I
> > create an ACL on the router that denys the traffic such as:
> >
> > on ser 0/1:
> >
> > access-list 101 in
> >
> > access-list 101 deny tcp any any range 40000 45000 log
> > access-list 101 permit ip any any
> >
> > Then the traffic stops flowing.
> >
> > can anyone explain this?
> >
> > Charles Engasser
> > Contracted Network Engineer
> > Joint STARS; Joint Test Force.
> > SC; Titan Inc.
> > (407) or (321) 726-7048
> > (407) or (321) 726-7243 (fax)
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
