Can Someone help me write an Extended Access Control List for a Cisco Router.?

Open the Chicago router's Virtual CLI. Enter global configuration mode by typing configure terminal. Configure an extended IP ACL # 100 that will meet the rules of our established security policy.

1.permit ftp and http traffic from the Chicago host to the Dallas server

2.deny all other TCP traffic from the Chicago host to the Dallas server

3.permit all other traffic

Apply the access-list to the Chicago router’s F0/0 interface for all inbound traffic.

Chicago Host 192.168.200.11

Dallas Server 192.168.100.11

I've got ciscorouter(config)# access-list 100

4 Answers

Relevance
  • Gzus
    Lv 6
    1 decade ago
    Best Answer

    Should be

    access-list 100 permit tcp host 192.168.200.11 host 192.168.100.11 eq 21

    access-list 100 permit tcp host 192.168.200.11 host 192.168.100.11 eq 80

    access-list 100 deny tcp host 192.168.200.11 host 192.168.100.11

    access-list 100 permit ip any any

    (Edit: forgot the host command for the source address, doh!)

    int f0/0

    ip access-group 100 in

    on the router should be correct.

    Forgot to explain this as well. Access lists will read top to bottom, so you have to permit before you deny, or it will go no further. You should go specific to broad, so it doesn't immediately block traffic. 21 is the FTP port, 80 is HTTP. The way I came up with this was you have to permit 2 specific ports in TCP, which means those should go first. All other TCP traffic needs to be stopped, which means you should deny after. Since the last thing you want to do is allow all other traffic, you want to do a comlete IP traffic permit that way if it isn't specifically one of the first 3 things, it will allow all other IP traffic. Also, there is a implicit deny at this end of all access lists, so you always have to remember to permit everything you want, or it assumes it will be denied.

    Also figured I would point out that instead of the host command, you could have used a 0.0.0.0 wildcard mask instead of the host command, but I prefer host.

  • 3 years ago

    one million. get admission to record entries could desire to filter out interior the order from time-honored to exhibit. 2. One get admission to record consistent with port consistent with protocol consistent with direction is accepted. 3. time-honored ACLs could desire to be utilized closest to the source whilst prolonged ACLs could desire to be utilized closest to the trip spot.

  • 1 decade ago

    I still not have hands on any Cisco POPs. You required help from my Guru. Contact RST Forum.

    Source(s): www.rstforum.net
  • chung
    Lv 4
    3 years ago

    And the same question shows up again

Still have questions? Get your answers by asking now.