Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Access-list

Access-list 13 years 1 day ago #2815

  • huliyar
  • huliyar's Avatar
  • Offline
  • Frequent Member
  • Posts: 31
  • Karma: 0
Two routers A & B connected through s0 on A(ip address\8) and s0 on B(ip address\8)in the LAB. Both have e0, with router A network being\24 and B's\24.
Now I don't want to reply or rather drop ICMP echo packets from B s0) and destined to Router A's and network. So the access list I created was.

RouterA(config)# access-list 110 deny icmp any any echo log
RouterA(config)# access-list 110 permit ip any any
RouterA(config)# int s0
RouterA(config-if)# ip access-group 110 out
RouterA(config-if)# ctrl + z

1. Is the above access-list correct and also whether the interface & direction I applied the access-list correct. Because when I did the above config, I was still able to ping from's ethernet ) and also's s0).

2. Also can access-list be called Network Layer firewalls?
Because both acl and network layer firewall perform the same kind of filtering why are they not called firewalls.

3. For denying access to all except vty lines in the following

RouterA(config)# access-list 10 permit
RouterA(config)# line vty 0 4
RouterA(config-line)# access-class 10 in

a. Why do we apply the access-list to in, I think it should be applied to out.I know it works with the above config but why not out.
The administrator has disabled public write access.

Re: Access-list 13 years 1 day ago #2818

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
1. The direction you've placed it in is wrong.. you want to block ICMP coming IN through routerA's s0 interface.. so you have to apply the list as access-group 110 IN not out. However since extended access lists are supposed to be applied closest to the source of the traffic, what you should do is block it from LEAVING routerBs s0 interface.. like this

RouterB(config)# access-list 110 deny icmp any any echo log
RouterB(config)# access-list 110 permit ip any any
RouterB(config)# int s0
RouterB(config-if)# ip access-group 110 out
RouterB(config-if)# ctrl + z

So when a ping packet hits routerB, it wont send it out of s0.
Here are some resources for you:

2. Yes an access-list is a network layer firewall, or filtering device whatever you want to call it. An extended access-list can also be a transport layer firewall.. for example if you block a TCP port.

3. You apply the access list to in because people telnet IN to the router interface not OUT of it. Always view the access list direction as if you were sitting on top of the router (when Chris was first getting into networks, he actually used to stand on top of the routers and work things out), see, you want the router to filter and INCOMING CONNECTION.. heres my little diagram :)




Now if you stand on top of the router (Chris recommends you do this barefoot), you will see that from the routers point of view this is INCOMING traffic.. so you use the IN direction.

Hope that cleared things up.. have a look in the Security/Firewalls forum.. I think someone had a very similar question and it became quite a good thread on access-lists in general.

Sahir Hidayatullah. Staff - Associate Editor & Security Advisor
The administrator has disabled public write access.
Time to create page: 0.076 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup