Solved

Is this syntax for this IOS access list right?

Posted on 2010-09-16
3
379 Views
Last Modified: 2012-05-10
I want to permit two ports with TCP and deny all the rest between one client and the other.

Is this syntax right?

Access-list 100 permit tcp 11.12.13.14 0.0.0.255 eq 80 13.14.15.16 0.0.0.255 any
Access-list 100 permit tcp 11.12.13.14 0.0.0.255 eq 8080 13.14.15.16 0.0.0.255 any
access-list 100 deny tcp 11.12.13.14 0.0.0.255 any 13.14.15.16 0.0.0.255 any
0
Comment
Question by:ChiefIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
expert1010 earned 300 total points
ID: 33698941
I would go for this:

access-list 100 permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
access-list 100 permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
access-list 100 deny tcp host 11.12.13.14 host 13.14.15.16

or this if it's all IP traffic you need to stop
access-list 100 deny ip host 11.12.13.14 host 13.14.15.16

It's also a bit easier to read.
0
 
LVL 5

Assisted Solution

by:shirkan
shirkan earned 200 total points
ID: 33699142
i would recommend to use NAMED acces lists and not numbered.
the advantage is with named lists you can add lines to it

with numbered you have to delete the whole list and put it in new

numbered lists are leftovers from old IOS versions

e.g.
ip access-list extended test <enter>
(not you are in the access-l config mode)
permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
deny tcp host 11.12.13.14 host 13.14.15.16

once you get out of config mode and do a "show access-l extrended test
you will see line numbers like

10 permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
20 permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
30 deny tcp host 11.12.13.14 host 13.14.15.16

if u ever need to add lines, just go back into the access-l config mode
and e.g. you need a line between 10 and 20, you do this
15  permit tcp host 11.12.13.15 eq 80 host 13.14.15.16

voila

besided the advantage to actually NAME your list and know right away what u want to use it for like

OUTGOING for LAN2Internet
or INCOMING for internet to lan

you get the idea
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33699160
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Read about achieving the basic levels of HRIS security in the workplace.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question