We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 529 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


265 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Notable Replies

  1. hello Rene, a question about ACL
    if I read an acl written in this way:
    access-list 100 permit ip host any....
    the keyword "any" means :
    " permit any packet from address to any others address if configured , in this router, more and more all mulsticast address? ( for rip for example) is for example the adjacent router on my fa 0/0...( and so I have to configure acl in inboud)

  2. Hi Francesco,

    An extended access-list always looks like this:

    The source and destination port is optional. For your example it will be:

    protocol = ip
    source address = (host means using subnetmask
    source port = not specified
    destination address = any
    destination port = not specified

    "any" really means any IP address so it'll match on destination address -

    When the router receives an IP packet on an interface that has an access-list then it will look for a match.


  3. johxxn says:

    Hi Rene,

    I have that too, R2 points to the ASA, but the lab did not work for me. I think it is a static NAT issue because the ASA drops the packet due to rpf-check. Here is a packet tracer from the ASA

    ciscoasa# packet-tracer input OUTSIDE tcp 23 23
    Phase: 1
    Result: ALLOW
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Subtype: input
    Result: ALLOW
    Additional Information:
    in   DMZ
    Phase: 3
    Subtype: log
    Result: ALLOW
    access-group OUTSIDE_INBOUND in interface OUTSIDE
    access-list OUTSIDE_INBOUND extended permit tcp any host eq telnet 
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Result: ALLOW
    Additional Information:
    Phase: 5
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    object network WEB_SERVER
     nat (DMZ,OUTSIDE) static
    Additional Information:
    input-interface: OUTSIDE
    input-status: up
    input-line-status: up
    output-interface: DMZ
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
  4. Hi John,

    That makes sense :slight_smile: In my example I didn't have NAT configured...just the IP addresses and security levels on the ASA, that's it.


Continue the discussion forum.networklessons.com

19 more replies