×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

EXtended ACL with multiple ports

Unanswered Question
Jul 30th, 2012
User Badges:

Hi Guys,


I am looking for some help in relation to an acl i want to stick in.


What  i need is to allow certain subnets access a  host via the following tcp ports 80,8080,443,21 and 3128


Does anyone know if its possible to do this with a single line ACL.


something like


access-list 300 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.20 eq 80 8080 443 3128   


Does this acl look right.


Thanks              

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 07/30/2012 - 04:02
User Badges:
  • Purple, 4500 points or more

Yes, this acl will work if your version of IOS supports it.


** Correction **


I noticed the number of your acl. This isn't the range of an extended acl (100 - 199) and the ranges don't seem to work on a numbered extended acl. If you create a named acl, it should work:


ip access-list ext Moreports

permit tcp 192.168.12.0 0.0.0.255 any eq 443 8080 8221 55555


HTH,

John

Frank Dukes Tue, 07/31/2012 - 02:02
User Badges:

Hi John,


I tried that but got an error on the 8080 part of the command - so it may well be the ios version does not support multiple ports in the one command. The IOS version is  12.2(18)SXF17b.


Thanks

Alessio Andreoli Tue, 07/31/2012 - 04:48
User Badges:
  • Silver, 250 points or more

Hi robert,

i don't think it will work even if it is worth to try the use of a | (pipe) between the port numbers.



http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html


If you go nearly at the end of this doc you will find :


operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.



HTH


Alessio

Frank Dukes Fri, 08/03/2012 - 01:51
User Badges:

Hi Alessio,


Thanks for that - i will have a look and report back.


Cheers

Actions

This Discussion

Related Content