Scott, Re;

In the top ACL you don't need the "deny tcp/udp" lines (lines 3, 8 - 19) since you have the "deny ip" line at the end.

If I remove lines 3, 8-19 then the tcp/udp traffic for the IP's I allow in lines 1,2 4-7 will be allowed - I don't want this traffic entering the network from outside to any IP. (Line 3 is a specal case as the box is an 'internal only' MX used to send mail out.) Or am I missing something? It seems odd when I use the second acl - deny tcp/udp but allow all other trafic to all IP's in the www.xxx.yyy /24 & www.xxx.zzz /24 advertised - I am able to traceroute from the router. Thanks, Jon Scott Weeks wrote:

On Thu, 19 May 2005, Jon Leeman wrote:

: I have the following access-list in place at the border router; : : access-list 102 permit ip any host www.xxx.yyy.1 : access-list 102 permit ip any host www.xxx.yyy.2 !router : access-list 102 deny tcp any host www.xxx.yyy.66 eq 25 : access-list 102 permit ip any host www.xxx.yyy.66 : access-list 102 permit ip any host www.xxx.yyy.70 : access-list 102 permit ip any host www.xxx.yyy.71 : access-list 102 permit ip any www.xxx.zzz.0 0.0.0.63 : access-list 102 deny tcp any any eq 135 : access-list 102 deny tcp any any eq 139 : access-list 102 deny tcp any any eq 161 : access-list 102 deny tcp any any eq 162 : access-list 102 deny tcp any any eq 445 : access-list 102 deny tcp any any eq telnet : access-list 102 deny tcp any any eq 1025 : access-list 102 deny tcp any any eq 1434 : access-list 102 deny tcp any any eq 1433 : access-list 102 deny tcp any any eq 2745 : access-list 102 deny udp any any eq 1433 : access-list 102 deny udp any any eq 1434 : access-list 102 deny ip any any log

In the top ACL you don't need the "deny tcp/udp" lines (lines 3, 8 - 19) since you have the "deny ip" line at the end.

Note that the top ACL's last line is "deny" and the bottom ACL's last line is "permit". Also, there is a "log on the top one, so you should see the deny show up in the log.

scott

: and I am unable to traceroute to any external host - from the router : [www.xxx.yyy.2 !router] : : When I change the list to; : : access-list 102 deny tcp any host 203.98.224.66 eq 25 : access-list 102 deny tcp any any eq 135 : access-list 102 deny tcp any any eq 139 : access-list 102 deny tcp any any eq 161 : access-list 102 deny tcp any any eq 162 : access-list 102 deny tcp any any eq 445 : access-list 102 deny tcp any any eq telnet : access-list 102 deny tcp any any eq 1025 : access-list 102 deny tcp any any eq 1434 : access-list 102 deny tcp any any eq 1433 : access-list 102 deny tcp any any eq 2745 : access-list 102 deny udp any any eq 1433 : access-list 102 deny udp any any eq 1434 : access-list 102 permit ip any any : : I am able to traceroute. : : I'd appreciate any pointers as to where I'm going wrong in the first : access-list. : : Thanks, : : Jon : : : _______________________________________________ : pacnog mailing list : pacnog@pacnog.org : http://mailman.apnic.net/mailman/listinfo/pacnog :