problem with 2 access-lists

[joeka77]

Hello,
my Router has an access-list 110 which permits ports 25, 53, 80, 443.
I woluld like to see ("show access-list&quot not only the matches of the permitted ports, but also the matches of the denied ports. I also want to see, which denied ports are used and the distribution of traffic.

I activated a second list 120 like
"120 ... deny ... range 1 20"
"120 ... deny ... range 21 50"
"120 ... deny ... range 51 100"
"120 ... deny ... gt 100"
So i hoped to get information about traffic-distribution. But now, no traffic at all is allowed. I thought that the list with the lower number (110) permits the allowed traffic and the second list with the higher number only gets activated if list 110 doesnt work. Whats wrong??

 

[cryptomap]

You need to setup your access list with all of the permits as you mentioned and at the bottom use "deny any any log". There is an implicit "deny any any" anyway but this way it is logged. Also make sure that you have logging configured correctly to a syslog server or whatever.

 

[joeka77]

Thanks, that should work. The Problem is, when i want to permit a new port i have to renew the whole list because of the last deny enty. With the help of two lists, that woudnt be necassary. Do you know in which way cisco-ios gets along with more then one list?

 

[cryptomap]

You can enter access-list configuration mode by typing "ip access-list extended 120" then you can use "no deny ip any any log" then add whatever and then "deny ip any any log" again. I find this works OK. As far as I am aware you may only use 1 access-list in 1 direction on 1 particular interface.

"There are only 10 types of people in the world - those who understand binary, and those who don't"