Solved: Access Control List

dacruzer1 · ‎01-10-2020

Hello Everyone!

Is there a one-liner I can create for this ACL:

The source IPs are all the same and the destination IP are also the same

access-list 187 permit tcp 10.30.0.0 0.0.255.255 host 10.10.77.10 eq 5938
access-list 187 permit tcp 10.30.0.0 0.0.255.255 host 10.10.77.10 eq 7710
access-list 187 permit tcp 10.30.0.0 0.0.255.255 host 10.10.77.10 eq 3310
access-list 187 permit tcp 10.30.0.0 0.0.255.255 host 10.10.77.10 eq 2310
access-list 187 permit tcp 10.30.0.0 0.0.255.255 host 10.10.77.10 eq 3870
access-list 187 permit tcp 10.30.0.0 0.0.255.255 host 10.10.77.10 eq 2342

Thanks!

paul driver · ‎01-10-2020

Hello
If your software supports it then you could try a service object group and tie that into a single extended acl.

object-group service tcp_ports
tcp eq 5938
tcp eq 7710
tcp eq 3310
tcp eq 2310
tcp eq 3870
tcp eq 2342

ip access-list extended 187
permit object-group tcp_ports 10.30.0.0 0.0.255.255 host 10.10.77.10

int x/x
ip access-group 187 in/out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎01-11-2020

Hello,

a named access list lets you put it multiple values:

ip access-list extended TCP_PORTS
permit tcp 10.30.0.0 0.0.255.255 host 10.10.77.10 eq 2310 2342 3310 3870 5938 7710

View solution in original post

paul driver · ‎01-10-2020

Hello
If your software supports it then you could try a service object group and tie that into a single extended acl.

object-group service tcp_ports
tcp eq 5938
tcp eq 7710
tcp eq 3310
tcp eq 2310
tcp eq 3870
tcp eq 2342

ip access-list extended 187
permit object-group tcp_ports 10.30.0.0 0.0.255.255 host 10.10.77.10

int x/x
ip access-group 187 in/out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dacruzer1 · ‎01-13-2020

Hi Paul,
Thanks for your help, I will definitely use this solution. Also, Is the an object group for IPs?
Thanks, Alfred

paul driver · ‎01-13-2020

Hello

@dacruzer1 wrote:
Hi Paul,
Thanks for your help, I will definitely use this solution. Also, Is the an object group for IPs?
Thanks, Alfred

Glad it assisted you, yes there is

object-group network <name>
range 192.168.1.0 192.168.1.254  < ip range

192.168.1.0 255.255.255.0 <  ip subnet
host 192.168.1.1 < ip host
group-object  xxx < nested group object

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎01-11-2020

Hello,

a named access list lets you put it multiple values:

ip access-list extended TCP_PORTS
permit tcp 10.30.0.0 0.0.255.255 host 10.10.77.10 eq 2310 2342 3310 3870 5938 7710

dacruzer1 · ‎01-13-2020

Thanks George! I appreciate your help.