How to define the access list on router?

Unanswered Question
guruprasadr Wed, 05/07/2008 - 00:42
User Badges:
  • Gold, 750 points or more

HI, [Pls Rate if HELPS]


Create and Extended ACL as below:


Extended IP access list allow

10 permit ip host 192.168.23.1 any

20 permit ip host 192.168.23.4 any

30 permit ip host 192.168.23.8 any


Hope I am Informative.


Pls Rate if HELPS


Best Regards,


Guru Prasad R



guruprasadr Wed, 05/07/2008 - 01:13
User Badges:
  • Gold, 750 points or more

HI, [Pls Rate if HELPS]


Explicit deny will be available by default as the last statement. When you match the ACL, the 3" ip address will only be allowed and rest all be denied using explicit deny available by default.


Extended IP access list allow

10 permit ip host 192.168.23.1 any

20 permit ip host 192.168.23.4 any

30 permit ip host 192.168.23.8 any



Hope I am informative.


Pls Rate if HELPS


Best Regards,


Guru Prasad R

Hi There


Not exactly. The number "30" at the start of the ACL defines the line number of the ACL that this statement will occupy and in your example you are attempting to put three statements on the one line. This will not be permitted.


However you could use


ip access-list extended 100


permit tcp host 192.168.23.1 0.0.0.255 any eq 12322

permit tcp host 192.168.23.1 0.0.0.255 any eq 13432

permit tcp host 192.168.23.1 0.0.0.255 any eq 12324


permit tcp host 192.168.23.4 0.0.0.255 any eq 12322

permit tcp host 192.168.23.4 0.0.0.255 any eq 13432

permit tcp host 192.168.23.4 0.0.0.255 any eq 12324


permit tcp host 192.168.23.8 0.0.0.255 any eq 12322

permit tcp host 192.168.23.8 0.0.0.255 any eq 13432

permit tcp host 192.168.23.8 0.0.0.255 any eq 12324



HTH


Best Regards,


Michael

Hi Again


Actually there is an error in the ACL statements I have shown.


If you only want these statements to apply to the specific host addresses shown, leave out the wildcard mask (0.0.0.255) from all statements.


If you want these statements to apply to the entire subnets, then leave out the keyword "host" from all statements.



Best Regards,


Michael

Hi There


If you want to block/permit EVERY port between say 1500 and 1900 then you could use the "range" option


i.e. permit tcp host 192.168.23.8 0.0.0.255 any range 1500 1900


However if you only want to block/permit say port 1500, 1675, 1806 & 1897, then you would need to write a single line for each individual port that you wish to cover.



HTH


Best Regards,


Michael

Actions

This Discussion