Comments on: How do I configure an extended ACL for a Cisco Router? http://www.routersguide.com/blog/cisco-router/how-do-i-configure-an-extended-acl-for-a-cisco-router/ This blog will tell you everything that you need to know about Cisco, Juniper, Netgear, Linksys, and Foundry wireless routers. Fri, 12 Mar 2010 04:19:13 -0600 http://wordpress.org/?v=2.8.4 hourly 1 By: redwine77 http://www.routersguide.com/blog/cisco-router/how-do-i-configure-an-extended-acl-for-a-cisco-router/comment-page-1/#comment-6286 redwine77 Mon, 06 Jul 2009 04:16:45 +0000 http://www.routersguide.com/blog/cisco-router/how-do-i-configure-an-extended-acl-for-a-cisco-router/#comment-6286 This is simple... there a few rules... First the ACL must be of a number between 100-199. Second there is an implicit deny, so you must specify what you want to permit OR create an explicit permit at the end. Third, the rules use a wildcard, not subnet mask (this is precisely the inverse of a netmask). Fourth, ACL's are read from top to bottom until a match is made... not most specific like routing. Finally, you must not forget to apply in both directions. As an example, this ACL permits ping from/to anywhere, and 10.1.1.1, alone, to access anything unhindered... denying all others.: access-list 112 permit icmp any any access-list 112 permit ip 10.1.1.1 0.0.0.0 any access-list 112 permit ip any 10.1.1.1 0.0.0.0 The implicit deny picks up everything else... if you wanted an explicit permit to something, you would put: access-list 112 permit ip any any at the end. This is simple… there a few rules… First the ACL must be of a number between 100-199. Second there is an implicit deny, so you must specify what you want to permit OR create an explicit permit at the end. Third, the rules use a wildcard, not subnet mask (this is precisely the inverse of a netmask). Fourth, ACL’s are read from top to bottom until a match is made… not most specific like routing. Finally, you must not forget to apply in both directions. As an example, this ACL permits ping from/to anywhere, and 10.1.1.1, alone, to access anything unhindered… denying all others.:

access-list 112 permit icmp any any
access-list 112 permit ip 10.1.1.1 0.0.0.0 any
access-list 112 permit ip any 10.1.1.1 0.0.0.0

The implicit deny picks up everything else… if you wanted an explicit permit to something, you would put:
access-list 112 permit ip any any

at the end.

]]> By: networkmaster http://www.routersguide.com/blog/cisco-router/how-do-i-configure-an-extended-acl-for-a-cisco-router/comment-page-1/#comment-6285 networkmaster Mon, 06 Jul 2009 04:16:45 +0000 http://www.routersguide.com/blog/cisco-router/how-do-i-configure-an-extended-acl-for-a-cisco-router/#comment-6285 First, follow your access-list command with a number from the "extended" IP ACL range, from 100 to 199 or from 2000 to 2699. Then follow this with the permit keyword, then the icmp keyword since you want to ping from one machine to another. Follow this with the IP address and wildcard mask of the source and then the IP and wildcard mask of the destination, and finally the specific icmp message type. For example, to allow a ping only from 10.1.1.1 to 10.1.1.2 you would need: access-list 101 permit icmp host 10.1.1.1 host 10.1.1.2 echo access-list 101 permit icmp host 10.1.1.2 host 10.1.1.1 echo-reply For telnet, you would use open tcp port 23 such as: access-list 102 permit host 10.1.1.3 host 10.1.1.4 tcp eq 23 This is just to get you started, there's a lot more possible. Search around Cisco's web site for IOS ACL command references, such as http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d1d4.html First, follow your access-list command with a number from the "extended" IP ACL range, from 100 to 199 or from 2000 to 2699. Then follow this with the permit keyword, then the icmp keyword since you want to ping from one machine to another. Follow this with the IP address and wildcard mask of the source and then the IP and wildcard mask of the destination, and finally the specific icmp message type.

For example, to allow a ping only from 10.1.1.1 to 10.1.1.2 you would need:
access-list 101 permit icmp host 10.1.1.1 host 10.1.1.2 echo
access-list 101 permit icmp host 10.1.1.2 host 10.1.1.1 echo-reply

For telnet, you would use open tcp port 23 such as:
access-list 102 permit host 10.1.1.3 host 10.1.1.4 tcp eq 23

This is just to get you started, there’s a lot more possible. Search around Cisco’s web site for IOS ACL command references, such as http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d1d4.html

]]>