Dynamic ACL Application
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-30-2015 10:40 AM
Hello,
i am working with dynamic ACLs and i have multiple ACLs for applications like RDP, HTTP, HTTPS is there any way i can reduce the number of lines in the following ACLs or i can specify multiple port numbers in one line. so i can reduce my configuration.
create access-list HTTP-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 80" "count HTTP;permit"
create access-list HTTPS-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 443" "count HTTPS;permit"
create access-list SSH-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 22" "count SSH;permit"
configure access-list add HTTP-IN first vlan "V67_Server" ingress
configure access-list add HTTPS-IN last vlan "V67_Server" ingress
configure access-list add SSH-IN last vlan "V67_Server" ingress
i am working with dynamic ACLs and i have multiple ACLs for applications like RDP, HTTP, HTTPS is there any way i can reduce the number of lines in the following ACLs or i can specify multiple port numbers in one line. so i can reduce my configuration.
create access-list HTTP-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 80" "count HTTP;permit"
create access-list HTTPS-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 443" "count HTTPS;permit"
create access-list SSH-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 22" "count SSH;permit"
configure access-list add HTTP-IN first vlan "V67_Server" ingress
configure access-list add HTTPS-IN last vlan "V67_Server" ingress
configure access-list add SSH-IN last vlan "V67_Server" ingress
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-03-2015 08:39 AM
Paul, Thanks for your help!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-30-2015 03:29 PM
Hello Freiu
I am sorry but I do not believe you can do multiple port values on the same line for example destination-port 80;22;443.
The way the ACL works everything in the If part of the statement or the conditions is either match all or match any so think of it as everything is "and" or "or" so in this case the packet would have to have all three ports values. If it is an "or" you could do destination-port 23; destination-port 443; destination port 80. The ACL will do an "or" on each statement. In this case you wouldn't be able to do subnet 10.10.10.0 and destination-port or destination-port.
So there is no option for having an "and" and "or" statement in the same ACL.
I hope this is clear
P
I am sorry but I do not believe you can do multiple port values on the same line for example destination-port 80;22;443.
The way the ACL works everything in the If part of the statement or the conditions is either match all or match any so think of it as everything is "and" or "or" so in this case the packet would have to have all three ports values. If it is an "or" you could do destination-port 23; destination-port 443; destination port 80. The ACL will do an "or" on each statement. In this case you wouldn't be able to do subnet 10.10.10.0 and destination-port or destination-port.
So there is no option for having an "and" and "or" statement in the same ACL.
I hope this is clear
P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-30-2015 03:29 PM
Hey Freiu
No I don't believe source-zones and destination-zones are not supported in dynamic ACLs.
When I try and execute a dynamic ACL with a zone it errors out.
P
No I don't believe source-zones and destination-zones are not supported in dynamic ACLs.
When I try and execute a dynamic ACL with a zone it errors out.
P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-30-2015 03:29 PM
Hi Paul,
are Network Zones supported in Dynamic ACLs?
create access-list TestCompressedout "destination-zone zone1;source-port 80" "count HTTP;permit"
are Network Zones supported in Dynamic ACLs?
create access-list TestCompressedout "destination-zone zone1;source-port 80" "count HTTP;permit"
