Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

"Special" access lists?

I'm trying to learn the IOS commands directly, instead of relying on the GUI, so please bear with me.  I've got a few questions about access lists.

A. How can I determine which access lists are actively being used?  "show access-lists" lists seven different access lists, most with various levels of matches.  "show running"  lists one for for each interface.  Relevant details are shown below.

B. Are there special names access lists like NAT?  I see where the named access list is defined, but it is not listed any where else in the running config.  Yet when I delete this access list, we all lose internet access.


router#show access-lists

Standard IP access list 1

Extended IP access list 100

Extended IP access list 101

Extended IP access list 102

Extended IP access list OUTSIDE_IN

Extended IP access list NAT

Extended IP access list NATFORSTATICS

router#show running

interface GigabitEthernet0/0

ip access-group OUTSIDE_IN in

...


interface GigabitEthernet0/0

ip access-group 100 in

...

3 REPLIES

Re: "Special" access lists?

Hi,

IOS supports several types of ACLs.

The most used is the extended ACL (100-199 range) or the named extended ACLs.

The syntax is like this:

ip access-list extended (NAME_OR_NUMBER)

   DENY/PERMIT .....

The ACL should be applied either to an interface, line VTY, NAT rule, QoS, etc.... in order for the ACL to ''work''

To see if the ACL is working, the best way is a ''sh access-list'' and see the ones having matches (hitcounts).

Federico.

New Member

Re: "Special" access lists?

I think I found it.  The NAT and NATFORSTATICS ACLS are used in route-map, then the route-map is used in the nat rule.

ip nat inside source static tcp 192.168.1.xx 80 xx.xxx.xxx.xxx 80 route-map STATIC_RMAP extendable


route-map DYNAMIC_RMAP permit 1

match ip address NAT

!

route-map STATIC_RMAP permit 1

match ip address NATFORSTATICS

Re: "Special" access lists?

Ok exactly.

The ACLs are applied to NAT rule in this case and that's why if removed breaks connectivity.

Federico.

171
Views
0
Helpful
3
Replies