SmartSwitch Router User Reference Manual 259Chapter 17: Access Control List Configuration GuideAlthough the implicit deny rule may seem obvious in the above example, this is notalways the case. For example, consider the following ACL rule:If a packet comes in from a network other than 10.1.20.0/24, you might expect the packetto go through because it doesn’t match the first rule. However, that is not the case becauseof the implicit deny rule. With the implicit deny rule attached, the rule looks like this:A packet coming from 10.1.20.0/24 would not match the first rule, but would match theimplicit deny rule. As a result, no packets would be allowed to go through. The first rule issimply a subset of the second rule. To allow packets from subnets other than 10.1.20.0/24to go through, you would have to explicitly define a rule to permit other packets to gothrough.To correct the above example and let packets from other subnets enter the SSR, you mustadd a new rule to permit packets to go through:The second rule forwards all packets that are not denied by the first rule.Because of the implicit deny rule, an ACL works similarly to a firewall that is elected todeny all traffic. You create ACL rules that punch “holes” into the firewall to permitspecific types of traffic; for example, traffic from a specific subnet or traffic from a specificapplication.Allowing External Responses to Established TCP ConnectionsTypically organizations that are connected to the outside world implement ACLs to denyaccess to the internal network. If an internal user wishes to connect to the outside world,the request is sent; however any incoming replies may be denied because ACLs preventthem from going through. To allow external responses to internally generated requests,you would have to create an ACL to allow responses from each specific outside host. If thenumber of outside hosts that internal users need to access is large or changes frequently,this can be difficult to maintain.To address this problem, the SSR can be configured to accept outside TCP responses intothe internal network, provided that the TCP connection was initiated internally.acl 102 deny ip 10.1.20.0/24 any any anyacl 102 deny ip 10.1.20.0/24 any any anyacl 102 deny any any any any anyacl 101 deny ip 10.1.20.0/24 any any anyacl 101 permit ipacl 101 deny any any any any any