557
Configuring Network Security with ACLs
How to Configure Network Security with ACLs
or access-list access-list-number
{deny | permit} protocol any any
[precedence precedence] [tos
tos] [fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
In access-list configuration mode, defines an extended IP access list using an
abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and
an abbreviation for a destination and destination wildcard of 0.0.0.0
255.255.255.255.
You can use the any keyword in place of source and destination address and
wildcard.
or access-list access-list-number
{deny | permit} protocol
host source host destination
[precedence precedence] [tos
tos] [fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp]
Defines an extended IP access list by using an abbreviation for a source and a
source wildcard of source 0.0.0.0 and an abbreviation for a destination and
destination wildcard of destination 0.0.0.0.
You can use the host keyword in place of the source and destination wildcard
or mask.
Step
2b
access-list access-list-number
{deny | permit} tcp source
source-wildcard [operator port]
destination destination-wildcard
[operator port] [established]
[precedence precedence] [tos
tos] [fragments] [log] [log-input]
[time-range time-range-name]
[dscp dscp] [flag]
(Optional) Defines an extended TCP access list and the access conditions.
Enter tcp for Transmission Control Protocol.
The parameters are the same as those described in Step 2a, with these
exceptions:
(Optional) operator and port compare source (if positioned after source
source-wildcard) or destination (if positioned after destination
destination-wildcard) port. Possible operators include eq (equal), gt (greater
than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
port number is a decimal number (from 0 to 65535) or the name of a TCP port.
To see TCP port names, use the ? or see the “Configuring IP Services” section
in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration
Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
The other optional keywords have these meanings:
established—Matches an established connection. This has the same
function as matching on the ack or rst flag.
flag—Matches one of these flags by the specified TCP header bits: ack
(acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), or
urg (urgent).
Step
2c
access-list access-list-number
{deny | permit} udp
source source-wildcard [operator
port] destination
destination-wildcard [operator
port] [precedence precedence]
[tos tos] [fragments] [log]
[log-input] [time-range
time-range-name] [dscp dscp]
(Optional) Defines an extended UDP access list and the access conditions.
udp—The User Datagram Protocol.
The UDP parameters are the same as those described for TCP except that the
[operator [port]] port number or name must be a UDP port number or name, and
the flag and established parameters are not valid for UDP.
Command Purpose
To Next Page
Loading...
Need help?
General
