ACL Configuration Examples
If you want to restrict access to only some hosts, then enter a limited permit entry.
By default, all other traffic is denied unless explicitly permitted.
host1/Admin(config)# access-list ACL_IN extended permit ip 192.168.1.0
255.255.255.0 209.165.201.0 255.255.255.224
For a list of permitted keywords and well-known port assignments, see
DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one
definition for TCP and one for UDP. TACACS+ requires one definition for port
49 on TCP.
The following ACL example restricts all hosts (on the interface to which you
apply the ACL) from accessing a website at address 209.165.201.29. All other
traffic is allowed.
host1/Admin(config)# access-list ACL_IN extended deny tcp any host
209.165.201.29 eq www
host1/Admin(config)# access-list ACL_IN extended permit ip any any
The following ACLs allow all inside hosts to communicate with the outside
network but only specific outside hosts to access the inside network:
host1/Admin(config)# access-list OUT extended permit ip any any
host1/Admin(config)# access-list IN extended permit ip host
209.168.200.3 any
host1/Admin(config)# access-list IN extended permit ip host
209.168.200.4 any
The following examples show how to configure ICMP ACLs. For details about
configuring ICMP ACLs, see the
host1/Admin(config)# access-list INBOUND extended permit icmp any any
echo
host1/Admin(config)# access-list INBOUND extended permit icmp host
10.0.0.1 host 20.0.0.1 unreachable code range 0 3
This section contains the following topics:
•
•
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
1-34
Inbound and Outbound ACLs
IP Addresses for ACLs with NAT
Chapter 1
Configuring Security Access Control Lists
"Configuring an Extended ACL"
Table
1-3.
section.
OL-16202-01