Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

access lists

Hi all, in the cisco ios is it possible to permit a packet based on source and destination port ? I have only ever used them based on destination port, can anyone give me an example access list for this if possible ?

3 REPLIES
Gold

Re: access lists

Short answer: Yes dependant on what unit we are talking about.

Long answer:

Yes it is possible to use access-lists to allow or deny traffic based on the source address.

It is also possible to allow or deny traffic based on the source port or a combination of source port and source address.

There are som limitations depending on what type of unit is using the access-lists.

FX a 3750 can have both inbound and outbound access-lists on the same interface at the same time. ie traffic incoming to the interface and traffic leaving that interface.

a 2960G however does only have inbound.

different units handle access-lists different.

fx switches does not have the same structure as an ASA unit.

so dependant on what type of unit you have I would recomend go and look in that unit and software version command reference.

example search strings would be something like:

3750 access-list command reference example

Good luck

Community Member

Re: access lists

Can it be done by source and dest ports though

ie

access list 101 permit tcp 10.0.0.0 0.255.255.255 eq 80 20.0.0.0 0.255.255.255 e1 80 ?

Gold

Re: access lists

Sorry about the timeframe for the answer.

Yes and no it depends on what type of device you have.

on a asa firewall you can do it like this.

access-list 111 permit tcp host 192.192.192.192 eq 888 host 192.192.192.100 eq 888 log

On a switch fx the 3750 you can NOT do it like that.

What you do is take two access-lists

one outbound and one inbound.

The first allows the destination communication to the port fx 80

and the second allows the communication to answer back to port 1024+

This will stop all tcp connections however UDP can not be stopped like this.

It would be so much easier and faster if you told us what device you are using.

Just to clarify one thing.

IF you are trying to write access-lists on a switch to be used out on the internet INSTEAD of a firewall.

There are many many reasons why that is a bad idea. so please dont do that.

129
Views
0
Helpful
3
Replies
CreatePlease to create content