Ok, I've done a lot of Cisco standard and extended ACLs, but I do not understand why the following does not work the way I think it should. Near the end of this extended named ACL, I have the following: permit tcp any eq 443 any permit tcp any eq 80 any deny ip any host 2.2.3.4 permit ip any any This is applied to an inbound interface(s). We want anybody outside to be able to reach ports 80 and 443 of any host on our network, no matter what, then block ALL other access to select hosts, such as 2.2.3.4, even ICMP. However, as soon as I apply this rule to the interface, ports 80 and 443 of that host become unreachable. A telnet to 2.2.3.4 443 gets "Connection refused" until I tear out the deny ACL above. I even tried adding udp for both ports, to no avail. I had always thought that these ACLs were processed in order, so that the explicit permit statement, though limited to a specific protocol but for all hosts, gets considered before the explicit deny statement for all IP to a particular host. What did I forget to consider? TIA,