Stupid Cisco ACL question

Dorn Hetzel dorn at
Thu Apr 21 19:17:31 UTC 2011

On Thu, Apr 21, 2011 at 3:13 PM, <up at> wrote:

> Ok, I've done a lot of Cisco standard and extended ACLs, but I do not
> understand why the following does not work the way I think it should.
> Near the end of this extended named ACL, I have the following:
>  permit tcp any eq 443 any

Don't you want:

permit tcp any any eq 443

Since you want the incoming traffic to have 443 as the destination port, not
the source?

>  permit tcp any eq 80 any
>  deny ip any host
>  permit ip any any
> This is applied to an inbound interface(s).  We want anybody outside to be
> able to reach ports 80 and 443 of any host on our network, no matter what,
> then block ALL other access to select hosts, such as, even ICMP.
> However, as soon as I apply this rule to the interface, ports 80 and 443
> of that host become unreachable.  A telnet to 443 gets "Connection
> refused" until I tear out the deny ACL above.  I even tried adding udp for
> both ports, to no avail.
> I had always thought that these ACLs were processed in order, so that the
> explicit permit statement, though limited to a specific protocol but for
> all hosts, gets considered before the explicit deny statement for all IP
> to a particular host.  What did I forget to consider?
> TIA,

More information about the NANOG mailing list