Configuring IP Services

IP Services Configuration Examples

Extended Access List Examples

In the following example, the first line permits any incoming TCP connections with destination ports greater than 1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2. The last line permits incoming ICMP messages for error feedback.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023 access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25 access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255 interface ethernet 0

ip access-group 102 in

For another example of using an extended access list, suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of a dedicated mail host.

SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the router always will be accepting mail connections on port 25 is what makes possible separate control of incoming and outgoing services. The access list can be configured on either the outbound or inbound interface.

In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25 interface ethernet 0

ip access-group 102 in

Named Access List Example

The following configuration creates a standard access list named Internet_filter and an extended access list named marketing_group:

interface Ethernet0/5

ip address 2.0.5.1 255.255.255.0 ip access-group Internet_filter out ip access-group marketing_group in

...

ip access-list standard Internet_filter permit 1.2.3.4

deny any

ip access-list extended marketing_group

permit tcp any 171.69.0.0 0.0.255.255 eq telnet deny tcp any any

permit icmp any any

deny udp any 171.69.0.0 0.0.255.255 lt 1024 deny ip any any log

Cisco IOS IP Configuration Guide

IPC-124

Page 169 Page 171
Page 170
Image 170
Cisco Systems 78-11741-02 manual Named Access List Example, Extended Access List Examples, IPC-124, Interface Ethernet0/5
Page 169 Page 171
Top Page Image Contents