On Thu, Apr 21, 2011 at 3:13 PM, <[email protected]> wrote: > Ok, I've done a lot of Cisco standard and extended ACLs, but I do not > understand why the following does not work the way I think it should. > Near the end of this extended named ACL, I have the following: > > permit tcp any eq 443 any >
Don't you want: permit tcp any any eq 443 Since you want the incoming traffic to have 443 as the destination port, not the source? > permit tcp any eq 80 any > deny ip any host 2.2.3.4 > permit ip any any > > This is applied to an inbound interface(s). We want anybody outside to be > able to reach ports 80 and 443 of any host on our network, no matter what, > then block ALL other access to select hosts, such as 2.2.3.4, even ICMP. > However, as soon as I apply this rule to the interface, ports 80 and 443 > of that host become unreachable. A telnet to 2.2.3.4 443 gets "Connection > refused" until I tear out the deny ACL above. I even tried adding udp for > both ports, to no avail. > > I had always thought that these ACLs were processed in order, so that the > explicit permit statement, though limited to a specific protocol but for > all hosts, gets considered before the explicit deny statement for all IP > to a particular host. What did I forget to consider? > > TIA, > >
