10-15
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Adding an Extended Access Control List
Use an operator to match port numbers used by the source or destination. The permitted operators
are as follows:
–
lt—less than
–
gt—greater than
–
eq—equal to
–
neq—not equal to
–
range—an inclusive range of values. When you use this operator, specify two port numbers, for
example:
range 100 200
For a list of permitted keywords and well-known port assignments, see the “TCP and UDP Ports”
section on page D-6. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one
definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
For information about logging options that you can add to the end of the ACE, see the “Logging
Extended Access Control List Activity” section on page 10-26.
See the following example:
The following ACL restricts all hosts (on the interface to which you apply the ACL) from accessing
a website at address 209.165.201.29. All other traffic is allowed.
FWSM/contexta(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq
www
FWSM/contexta(config)# access-list ACL_IN extended permit ip any any
• Add an ACE for ICMP by entering the following command:
FWSM/contexta(config)# access-list
acl_name
[extended]
{deny | permit}
icmp
source_address mask
dest_address mask
[
icmp_type
]
Enter host before the IP address to specify a single address. In this case, do not enter a mask. Enter
any instead of the address and mask to specify any address.
Because ICMP is a connectionless protocol, you either need ACLs to allow ICMP in both directions
(by applying ACLs to the source and destination interfaces), or you need to enable the ICMP
inspection engine (see the “ICMP Inspection Engine” section on page 13-10). The ICMP inspection
engine treats ICMP sessions as stateful connections.
To control ping, specify echo-reply (0) (FWSM to host) or echo (8) (host to FWSM). See the “ICMP
Types” section on page D-9 for a list of ICMP types.
For information about logging options that you can add to the end of the ACE, see the “Logging
Extended Access Control List Activity” section on page 10-26.
Step 2 To apply an extended ACL to the inbound or outbound direction of an interface, enter the following
command:
FWSM/contexta(config)# access-group
acl_name
{in | out} interface
interface_name
You can apply one ACL of each type (extended and EtherType) to both directions of the interface. See
the “Inbound and Outbound Access Control Lists” section on page 10-10 for more information about
ACL directions.
For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you
want traffic to pass in both directions. For example, you can allow BGP in an ACL in transparent mode,
and you need to apply the ACL to both interfaces.
To Next Page
Loading...
Need help?
General