Solved

Is this syntax for this IOS access list right?

Posted on 2010-09-16
3
374 Views
Last Modified: 2012-05-10
I want to permit two ports with TCP and deny all the rest between one client and the other.

Is this syntax right?

Access-list 100 permit tcp 11.12.13.14 0.0.0.255 eq 80 13.14.15.16 0.0.0.255 any
Access-list 100 permit tcp 11.12.13.14 0.0.0.255 eq 8080 13.14.15.16 0.0.0.255 any
access-list 100 deny tcp 11.12.13.14 0.0.0.255 any 13.14.15.16 0.0.0.255 any
0
Comment
Question by:ChiefIT
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
expert1010 earned 300 total points
ID: 33698941
I would go for this:

access-list 100 permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
access-list 100 permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
access-list 100 deny tcp host 11.12.13.14 host 13.14.15.16

or this if it's all IP traffic you need to stop
access-list 100 deny ip host 11.12.13.14 host 13.14.15.16

It's also a bit easier to read.
0
 
LVL 5

Assisted Solution

by:shirkan
shirkan earned 200 total points
ID: 33699142
i would recommend to use NAMED acces lists and not numbered.
the advantage is with named lists you can add lines to it

with numbered you have to delete the whole list and put it in new

numbered lists are leftovers from old IOS versions

e.g.
ip access-list extended test <enter>
(not you are in the access-l config mode)
permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
deny tcp host 11.12.13.14 host 13.14.15.16

once you get out of config mode and do a "show access-l extrended test
you will see line numbers like

10 permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
20 permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
30 deny tcp host 11.12.13.14 host 13.14.15.16

if u ever need to add lines, just go back into the access-l config mode
and e.g. you need a line between 10 and 20, you do this
15  permit tcp host 11.12.13.15 eq 80 host 13.14.15.16

voila

besided the advantage to actually NAME your list and know right away what u want to use it for like

OUTGOING for LAN2Internet
or INCOMING for internet to lan

you get the idea
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33699160
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco RSTP portfast 3 49
Read-only SNMP string example ? 7 72
Do we do penetration & VA scans against SOC EVM event collector 5 68
Trunk and Port Security 4 39
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now