Solved: Re: Access-list statement format, help!

richarddowna · ‎04-21-2011

Hello

Im rather confused at a few statements with access-lists.

Mostly about the source and destination parts of the commands.

access-list 101 permit tcp 192.168.27.0 0.0.0.255 host 192.168.30.3 eq telnet

access-list 101 permit tcp <?source ip and wildcard mask?> host <?destination ip?> eq telnet

Q1. Is the above correct? And what does eq mean?

access-list 101 deny ip 192.168.27.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 101 deny ip <?source ip and wildcard mask?> <?destination ip and wildcard mask?>

     Q2. Is the above correct?

access-list 111 deny ip any any
access-list 111 deny ip <?source?> <?destination?>

Q3. Is the above correct?

access-list 121 permit tcp any host 192.168.30.3 eq www

access-list 121 permit tcp <?source?> host <?destination?> eq www

Q4. Is the above correct?

Thankyou!

Thotsaphon Lueangwattanaphong · ‎04-21-2011

Hi Richard,

access-list 101 permit tcp 192.168.27.0 0.0.0.255 host 192.168.30.3 eq telnet

access-list 101 permit tcp host eq telnet

Q1. Is the above correct? And what does eq mean?

A: It means that 192.168.27.0/24 network is allowed to access host-192.168.30.3 only TCP/Port-23 aka Telnet.

access-list 101 deny ip 192.168.27.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 101 deny ip

Q2. Is the above correct?

A: Correct

access-list 111 deny ip any any

access-list 111 deny ip

Q3. Is the above correct?

A: Correct , Note: Keep in mind , there is an implicit deny at the end of statement of ACL.

access-list 121 permit tcp any host 192.168.30.3 eq www

access-list 121 permit tcp host eq www

Q4. Is the above correct?

A: Correct , It's the same logic as ACL 101

Rgds,

Toshi

View solution in original post

Thotsaphon Lueangwattanaphong · ‎04-21-2011

Hi Richard,

access-list 101 permit tcp 192.168.27.0 0.0.0.255 host 192.168.30.3 eq telnet

access-list 101 permit tcp host eq telnet

Q1. Is the above correct? And what does eq mean?

A: It means that 192.168.27.0/24 network is allowed to access host-192.168.30.3 only TCP/Port-23 aka Telnet.

access-list 101 deny ip 192.168.27.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 101 deny ip

Q2. Is the above correct?

A: Correct

access-list 111 deny ip any any

access-list 111 deny ip

Q3. Is the above correct?

A: Correct , Note: Keep in mind , there is an implicit deny at the end of statement of ACL.

access-list 121 permit tcp any host 192.168.30.3 eq www

access-list 121 permit tcp host eq www

Q4. Is the above correct?

A: Correct , It's the same logic as ACL 101

Rgds,

Toshi

richarddowna · ‎04-22-2011

Another thing,

Since the order that ACL is input matters,

Do I need to remake the entire access-list if I need to insert a rule?

Seems kind of annoying? Is there a way to insert ACLs into correct place?

Thanks

Thotsaphon Lueangwattanaphong · ‎04-23-2011

Hi Richard,

I used to use a notepad to re-order IP access-list in the old IOS verstion. In the new IOS version,we are now lucky. You can use the following commands.

Router#sh access-list 101

Router#conf t

Router(conf-t)#ip access-list extended 101

Router(config-ext-nacl)#?

F.e.

Router(conf-t)#ip access-list extended 101

Router(config-ext-nacl)#no 10

Router(config-ext-nacl)#11 access-list 101 permit tcp 192.168.27.0 0.0.0.255 host 192.168.30.3 eq telnet

Hope this help

Toshi

richarddowna · ‎04-23-2011

Very helpful.

Thank you!!

cadet alain · ‎04-22-2011

Hi Richard,

Q1: yes and eq means equal and the number following is the destination tcp/udp port( or well-known name of service)

Q2: yes

Q3: yes

Q4:yes

Regards.

Alain.

Don't forget to rate helpful posts.