Solved

Is this syntax for this IOS access list right?

Posted on 2010-09-16
3
378 Views
Last Modified: 2012-05-10
I want to permit two ports with TCP and deny all the rest between one client and the other.

Is this syntax right?

Access-list 100 permit tcp 11.12.13.14 0.0.0.255 eq 80 13.14.15.16 0.0.0.255 any
Access-list 100 permit tcp 11.12.13.14 0.0.0.255 eq 8080 13.14.15.16 0.0.0.255 any
access-list 100 deny tcp 11.12.13.14 0.0.0.255 any 13.14.15.16 0.0.0.255 any
0
Comment
Question by:ChiefIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
expert1010 earned 300 total points
ID: 33698941
I would go for this:

access-list 100 permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
access-list 100 permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
access-list 100 deny tcp host 11.12.13.14 host 13.14.15.16

or this if it's all IP traffic you need to stop
access-list 100 deny ip host 11.12.13.14 host 13.14.15.16

It's also a bit easier to read.
0
 
LVL 5

Assisted Solution

by:shirkan
shirkan earned 200 total points
ID: 33699142
i would recommend to use NAMED acces lists and not numbered.
the advantage is with named lists you can add lines to it

with numbered you have to delete the whole list and put it in new

numbered lists are leftovers from old IOS versions

e.g.
ip access-list extended test <enter>
(not you are in the access-l config mode)
permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
deny tcp host 11.12.13.14 host 13.14.15.16

once you get out of config mode and do a "show access-l extrended test
you will see line numbers like

10 permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
20 permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
30 deny tcp host 11.12.13.14 host 13.14.15.16

if u ever need to add lines, just go back into the access-l config mode
and e.g. you need a line between 10 and 20, you do this
15  permit tcp host 11.12.13.15 eq 80 host 13.14.15.16

voila

besided the advantage to actually NAME your list and know right away what u want to use it for like

OUTGOING for LAN2Internet
or INCOMING for internet to lan

you get the idea
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33699160
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Home internet speed 20 44
cisco asa proxy arp 2 26
AS-Path BGP Attribute 7 26
Connecting Hyper V host with 2 Nics to a Gigabit switch and a 10/100 Lan simultaneously 6 43
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question