Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
3
Replies

"Special" access lists?

wayne.sheppard
Level 1
Level 1

‎11-11-2010 12:01 PM - edited ‎03-11-2019 12:08 PM

I'm trying to learn the IOS commands directly, instead of relying on the GUI, so please bear with me.  I've got a few questions about access lists.

A. How can I determine which access lists are actively being used?  "show access-lists" lists seven different access lists, most with various levels of matches.  "show running"  lists one for for each interface.  Relevant details are shown below.

B. Are there special names access lists like NAT?  I see where the named access list is defined, but it is not listed any where else in the running config.  Yet when I delete this access list, we all lose internet access.


router#show access-lists

Standard IP access list 1

Extended IP access list 100

Extended IP access list 101

Extended IP access list 102

Extended IP access list OUTSIDE_IN

Extended IP access list NAT

Extended IP access list NATFORSTATICS

router#show running

interface GigabitEthernet0/0

ip access-group OUTSIDE_IN in

...


interface GigabitEthernet0/0

ip access-group 100 in

...

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-11-2010 12:28 PM

Hi,

IOS supports several types of ACLs.

The most used is the extended ACL (100-199 range) or the named extended ACLs.

The syntax is like this:

ip access-list extended (NAME_OR_NUMBER)

   DENY/PERMIT .....

The ACL should be applied either to an interface, line VTY, NAT rule, QoS, etc.... in order for the ACL to ''work''

To see if the ACL is working, the best way is a ''sh access-list'' and see the ones having matches (hitcounts).

Federico.

0 Helpful

wayne.sheppard
Level 1
Level 1

‎11-11-2010 01:18 PM

I think I found it.  The NAT and NATFORSTATICS ACLS are used in route-map, then the route-map is used in the nat rule.

ip nat inside source static tcp 192.168.1.xx 80 xx.xxx.xxx.xxx 80 route-map STATIC_RMAP extendable


route-map DYNAMIC_RMAP permit 1

match ip address NAT

!

route-map STATIC_RMAP permit 1

match ip address NATFORSTATICS

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to wayne.sheppard

‎11-11-2010 01:30 PM

Ok exactly.

The ACLs are applied to NAT rule in this case and that's why if removed breaks connectivity.

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card