Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Is this syntax for this IOS access list right?

Posted on 2010-09-16
3
Medium Priority
?
383 Views
Last Modified: 2012-05-10
I want to permit two ports with TCP and deny all the rest between one client and the other.

Is this syntax right?

Access-list 100 permit tcp 11.12.13.14 0.0.0.255 eq 80 13.14.15.16 0.0.0.255 any
Access-list 100 permit tcp 11.12.13.14 0.0.0.255 eq 8080 13.14.15.16 0.0.0.255 any
access-list 100 deny tcp 11.12.13.14 0.0.0.255 any 13.14.15.16 0.0.0.255 any
0
Comment
Question by:ChiefIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
expert1010 earned 1200 total points
ID: 33698941
I would go for this:

access-list 100 permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
access-list 100 permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
access-list 100 deny tcp host 11.12.13.14 host 13.14.15.16

or this if it's all IP traffic you need to stop
access-list 100 deny ip host 11.12.13.14 host 13.14.15.16

It's also a bit easier to read.
0
 
LVL 5

Assisted Solution

by:Markus Braun
Markus Braun earned 800 total points
ID: 33699142
i would recommend to use NAMED acces lists and not numbered.
the advantage is with named lists you can add lines to it

with numbered you have to delete the whole list and put it in new

numbered lists are leftovers from old IOS versions

e.g.
ip access-list extended test <enter>
(not you are in the access-l config mode)
permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
deny tcp host 11.12.13.14 host 13.14.15.16

once you get out of config mode and do a "show access-l extrended test
you will see line numbers like

10 permit tcp host 11.12.13.14 eq 80 host 13.14.15.16
20 permit tcp host 11.12.13.14 eq 8080 host 13.14.15.16
30 deny tcp host 11.12.13.14 host 13.14.15.16

if u ever need to add lines, just go back into the access-l config mode
and e.g. you need a line between 10 and 20, you do this
15  permit tcp host 11.12.13.15 eq 80 host 13.14.15.16

voila

besided the advantage to actually NAME your list and know right away what u want to use it for like

OUTGOING for LAN2Internet
or INCOMING for internet to lan

you get the idea
0
 
LVL 5

Expert Comment

by:Markus Braun
ID: 33699160
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question