11 Replies Latest reply: May 10, 2012 5:25 PM by sambotech12 RSS

    Explicit Deny

    thiyagarajankalaiselvan

      Hi ,

      I'm working on task to apply an ACL on a WAN interface. I'm going to apply an ACL which will permit the the IP 239.1.0.10.

       

      Just I want to ensure the below will not deny any other traffic. Can anybody help me to know by default explicit deny will be added to the end of the ACL?

       

       

      ip access list extended MCAST

      permit ip any host 239.1.0.10

       

      Regards,

      T.K

        • 1. Re: Explicit Deny
          sparky

          The implicit deny all will block anything else, however i always like to specify it so at least you can see matches against it when viewing the ACL

            ..... also remember an ACL will not filter traffic orginiating from the router itself

          • 2. Re: Explicit Deny
            skcis

            Sparky,

             

            Just wanted to confirm about your saying ACL not filtering traffic orginating from router itself? So, let's say we have the following ACL:

             

            ip access-list extented temp

            permit tcp any host 10.10.10.1 eq 80

            deny ip any any

             

            Where host is a web server and the ACL is applied to the router interface facing the internet. This should only allow traffic from the internet to port 80 of host 10.10.10.1.

             

            Now if a client from the local LAN went to www.example.com:80, then that simply means that the router won't even look at ACL temp in that case, do we concur on this?

             

            Also, does this have anything to do with CBAC? In other words, do we have to have CBAC or the behavior is normal for any ACL running on generic routers or any layer 3 switch?

             

            Thanks in advance!

            • 3. Re: Explicit Deny
              C1SC0M - CCNP,CWNA,Net+

              So you are saying that you want to permit traffic from that host and anything else?  Then don't do anything.  No ACL is needed.  Or do an ACL with permit ip any any.  Make sense?

               

              This:  permit ip host 239.1.0.10 any

                       permit ip any any

               

              will have the same effect as this:  permit ip any any.

               

              As your IMPLICIT DENY question, it is IMPLICIT because you don't have to type it in directly and since this is by default you won't see it on the show running-config.

              • 4. Re: Explicit Deny
                rak

                hi

                @skcis, acl's dont process packets generated in the router for eg the traffic generated by the sla configuration or when you ping from that router

                the lan you are refering will be filtered by the acl

                its not  in the router rather behind it

                • 5. Re: Explicit Deny
                  Gabriel

                  Hi,

                   

                  Your question isn't very clear. You can apply an ACL in two directions "in" or "out". Depending on how you want the ACL to inspect traffic. If we are talking about a cisco router, then if you applied the ACL you wrote out in the "in" or "out" direction it would cause you problems due to the explicit deny at the end

                   

                  IF it was in the "out" direction of your WAN interface, you would be telling your router to only allow hosts (behind your router) going to 239.1.0.10 and deny everything else (explicit deny).

                   

                  If it was in the "in" direction of your WAN interface, you would be telling your router to only allow traffic coming from the WAN going to 239.1.0.10, and deny everything else (explicit deny).

                   

                  Is there something blocking 239.1.0.10 to account for the need of this ACL?

                  • 6. Re: Explicit Deny
                    sambotech12

                    thiyagarajankalaiselvan wrote:

                     

                    Hi ,

                    I'm working on task to apply an ACL on a WAN interface. I'm going to apply an ACL which will permit the the IP 239.1.0.10.

                     

                    Just I want to ensure the below will not deny any other traffic. Can anybody help me to know by default explicit deny will be added to the end of the ACL?

                     

                     

                    ip access list extended MCAST

                    permit ip any host 239.1.0.10

                     

                    Regards,

                    T.K

                    Hey,

                     

                    If the ACL is applied 'in' on the serial WAN link to your router, I wonder if the implicit deny all, which is at the end of every ACL, will block any routing updates the router is receiving from its neighbor on that link assuming you are running a routing protocol?

                     

                    -sambotech12

                    • 7. Re: Explicit Deny
                      sambotech12

                      skcis wrote:

                       

                      Sparky,

                       

                      Just wanted to confirm about your saying ACL not filtering traffic orginating from router itself? So, let's say we have the following ACL:

                       

                      ip access-list extented temp

                      permit tcp any host 10.10.10.1 eq 80

                      deny ip any any

                       

                      Where host is a web server and the ACL is applied to the router interface facing the internet. This should only allow traffic from the internet to port 80 of host 10.10.10.1.

                       

                      Now if a client from the local LAN went to www.example.com:80, then that simply means that the router won't even look at ACL temp in that case, do we concur on this?

                       

                      Also, does this have anything to do with CBAC? In other words, do we have to have CBAC or the behavior is normal for any ACL running on generic routers or any layer 3 switch?

                       

                      Thanks in advance!

                      Hey,

                       

                      If this ACL is applied 'in' on the internet-facing interface of the router so it's like a firewall, the local LAN will be affected by the ACL.  In fact, all hosts on the local LAN will not have any connectivity to any web servers in the Internet or any kind of connectivity for that matter.  To give local LAN clients access to web servers in the Internet use:

                       

                      ip access-list extented temp

                      permit tcp any host 10.10.10.1 eq 80

                      permit tcp any eq 80 any established

                      deny ip any any

                       

                      But the local LAN clients won't be able to do anything else in the Internet.....

                       

                      As far as CBAC......I don't know what that is since I'm just a CCNA.

                       

                      -sambotech12

                      • 8. Re: Explicit Deny
                        skcis

                        Hi sambotech12,

                         

                        Let's put it this way:

                         

                        Router R1 has 2 interfaces: gi0/0 and 0/1.

                        gi0/0 connects to the internet

                        gi0/1 connects to the local LAN

                         

                        We 2 ACLs:

                        ip access-list extented test1

                        permit tcp any host 10.10.10.1 eq 80

                        deny ip any any

                         

                        and

                         

                        ip access-list extented test2

                        permit ip any any

                         

                        test1 is applied to gi0/0 (facing the internet):

                        ip access-group test1 in

                         

                        test2 is applied to gi0/1 (Local LAN):

                        ip access-group test2 in

                         

                        Now if a client on the LAN tries to connect to a web server on the internet what will happen?

                         

                        Cheers!

                        • 9. Re: Explicit Deny
                          sambotech12

                          skcis wrote:

                           

                          Hi sambotech12,

                           

                          Let's put it this way:

                           

                          Router R1 has 2 interfaces: gi0/0 and 0/1.

                          gi0/0 connects to the internet

                          gi0/1 connects to the local LAN

                           

                          We 2 ACLs:

                          ip access-list extented test1

                          permit tcp any host 10.10.10.1 eq 80

                          deny ip any any

                           

                          and

                           

                          ip access-list extented test2

                          permit ip any any

                           

                          test1 is applied to gi0/0 (facing the internet):

                          ip access-group test1 in

                           

                          test2 is applied to gi0/1 (Local LAN):

                          ip access-group test2 in

                           

                          Now if a client on the LAN tries to connect to a web server on the internet what will happen?

                           

                          Cheers!

                          Well.....you must have some pretty awesome routers to connect gigaethernet interfaces to the Internet.  Your Internet connection must be really fast.  I, myself, don't have any real equipment to play with.....I only have Cisco Packet Tracer, but it's pretty cool.

                           

                          Anyway......if you have ACL test1 on an Internet-facing interface, I don't know how a public router would have a route to a private IP address such as 10.10.10.1.  Since IOS processes ACLs before NAT for packets entering an interface, the destination address in the permit statement should be a public address.

                           

                          Since test1 is acting like a firewall, it will try to match packets coming from the web servers in the Internet on their way to the clients of the local LAN.  The way test1 is set up now.....it looks like it's trying (but failing because of private address) to permit traffic to an internal web server.  So, it's going to deny all clients of the local LAN any access to web servers in the Internet.

                           

                          Therefore, when a client on the LAN tries to connect to a web server on the Internet, the client should not have any problem getting through ACL test2 on router R1.  But when the packets from the web server going to the client try to enter R1, they will be filtered or discarded.

                           

                          I have several Packet Tracer files with Internet simulations.  The only thing is that all of the connections to the Internet are done with serial links, not ethernet links.  But that shouldn't be a problem.  They do, of course, run NAT since they involve the Internet and public addresses.  I will try to run your ACLs on one of them and let you know......

                           

                          -sambotech12

                          • 10. Re: Explicit Deny
                            skcis

                            sambotech12,

                             

                            I really appreciate you taking the time to answer these queries. I should have let you know that the 10.10.10.1 was used because I didn't want to have a public IP to violate any rules/laws. So, let's just say the interface connecting to the internet had a public IP address. And my question about the client connecting to a web server on the internet is the same.

                             

                            Thanks.

                            • 11. Re: Explicit Deny
                              sambotech12

                              skcis wrote:

                               

                              sambotech12,

                               

                              I really appreciate you taking the time to answer these queries. I should have let you know that the 10.10.10.1 was used because I didn't want to have a public IP to violate any rules/laws. So, let's just say the interface connecting to the internet had a public IP address. And my question about the client connecting to a web server on the internet is the same.

                               

                              Thanks.

                              Yeah.....the client on the local LAN has no access to the web server in the Internet.  The packets from the web server in the Internet to the client in the local LAN were matched with the deny ip any any statement of the ACL test1.  Look at the picture below.

                               

                              test1.jpg

                               

                              But, if you modify ACL test1 the client on the local LAN can connect to the web server in the Internet.  Refer to the picture below.

                               

                              test1_2.jpg

                               

                               

                               

                               

                               

                               

                              -sambotech12