access lists

Unanswered Question
Mar 13th, 2008

Hi all, in the cisco ios is it possible to permit a packet based on source and destination port ? I have only ever used them based on destination port, can anyone give me an example access list for this if possible ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hobbe Thu, 03/13/2008 - 05:08

Short answer: Yes dependant on what unit we are talking about.

Long answer:

Yes it is possible to use access-lists to allow or deny traffic based on the source address.

It is also possible to allow or deny traffic based on the source port or a combination of source port and source address.

There are som limitations depending on what type of unit is using the access-lists.

FX a 3750 can have both inbound and outbound access-lists on the same interface at the same time. ie traffic incoming to the interface and traffic leaving that interface.

a 2960G however does only have inbound.

different units handle access-lists different.

fx switches does not have the same structure as an ASA unit.

so dependant on what type of unit you have I would recomend go and look in that unit and software version command reference.

example search strings would be something like:

3750 access-list command reference example

Good luck

carl_townshend Thu, 03/13/2008 - 05:43

Can it be done by source and dest ports though


access list 101 permit tcp eq 80 e1 80 ?

hobbe Fri, 03/14/2008 - 03:37

Sorry about the timeframe for the answer.

Yes and no it depends on what type of device you have.

on a asa firewall you can do it like this.

access-list 111 permit tcp host eq 888 host eq 888 log

On a switch fx the 3750 you can NOT do it like that.

What you do is take two access-lists

one outbound and one inbound.

The first allows the destination communication to the port fx 80

and the second allows the communication to answer back to port 1024+

This will stop all tcp connections however UDP can not be stopped like this.

It would be so much easier and faster if you told us what device you are using.

Just to clarify one thing.

IF you are trying to write access-lists on a switch to be used out on the internet INSTEAD of a firewall.

There are many many reasons why that is a bad idea. so please dont do that.


This Discussion