Router Information Guide

2 responses so far ↓

• 1 redwine77 // Jul 6, 2009 at 4:16 am

  This is simple… there a few rules… First the ACL must be of a number between 100-199. Second there is an implicit deny, so you must specify what you want to permit OR create an explicit permit at the end. Third, the rules use a wildcard, not subnet mask (this is precisely the inverse of a netmask). Fourth, ACL’s are read from top to bottom until a match is made… not most specific like routing. Finally, you must not forget to apply in both directions. As an example, this ACL permits ping from/to anywhere, and 10.1.1.1, alone, to access anything unhindered… denying all others.:

  access-list 112 permit icmp any any
  access-list 112 permit ip 10.1.1.1 0.0.0.0 any
  access-list 112 permit ip any 10.1.1.1 0.0.0.0

  The implicit deny picks up everything else… if you wanted an explicit permit to something, you would put:
  access-list 112 permit ip any any

  at the end.

• 2 networkmaster // Jul 6, 2009 at 4:16 am

  First, follow your access-list command with a number from the "extended" IP ACL range, from 100 to 199 or from 2000 to 2699. Then follow this with the permit keyword, then the icmp keyword since you want to ping from one machine to another. Follow this with the IP address and wildcard mask of the source and then the IP and wildcard mask of the destination, and finally the specific icmp message type.

  For example, to allow a ping only from 10.1.1.1 to 10.1.1.2 you would need:
  access-list 101 permit icmp host 10.1.1.1 host 10.1.1.2 echo
  access-list 101 permit icmp host 10.1.1.2 host 10.1.1.1 echo-reply

  For telnet, you would use open tcp port 23 such as:
  access-list 102 permit host 10.1.1.3 host 10.1.1.4 tcp eq 23

  This is just to get you started, there’s a lot more possible. Search around Cisco’s web site for IOS ACL command references, such as http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d1d4.html

Leave a Comment