We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

470 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Forum Replies

  1. Great post , very informative

  2. Great post RENE!! CBAC is kind of obsolte but it’s a key in order to understand zone-based FW or as I named It ZOMBIES FIREWAL, thanks for all your help!!

  3. Hi Rene,
    I tried simple ACL in packet tracer and I found at least one explicit ACE entry is needed in acces-list to make implicit " deny ip any any" effective, otherwise it allows all the traffic if
    it is an empty access-list.


  4. Hi Srini,

    That’s right, it’s strange that they programmed it like this but that’s the way it works :slight_smile:


  5. I’m still a bit confused about how the ACL taking care of traffic from the outside ( the DENY_ALL_INTERNET) refers back to the inspect function? Is it just because we have inspect out and Access-group IN on the same interface that both will be associated ?
    If that’s not clear, I’m referring to the output of the “show ip inspect all” , how the inspect function know which ACL the inspect results will be applied to ? Cheers !

8 more replies! Ask a question or join the discussion by visiting our Community Forum