Cisco 7604 Configuration Manual page 234

Adding an Extended Access List
Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list of
protocol names, see the
Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask.
Enter the any keyword instead of the address and mask to specify any address.
You can specify the source and destination ports only for the tcp or udp protocols. For a list of permitted
keywords and well-known port assignments, see the
Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for
UDP. TACACS+ requires one definition for port 49 on TCP.
Use an operator to match port numbers used by the source or destination. The permitted operators are
as follows:
lt—less than
•
gt—greater than
•
eq—equal to
•
neq—not equal to
•
range—an inclusive range of values. When you use this operator, specify two port numbers, for
•
example:
range 100 200
You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless protocol,
you either need access lists to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine (see the
Type Object Group" section on page
stateful connections. To control ping, specify echo-reply (0) (FWSM to host) or echo (8) (host to
FWSM). See the
When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The FWSM uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco
IOS mask uses wildcard bits (for example, 0.0.0.255).
To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without the
inactive keyword. This feature lets you keep a record of an inactive ACE in your configuration to make
reenabling easier.
See the following examples:
The following access list allows all hosts (on the interface to which you apply the access list) to go
through the FWSM:
hostname(config)# access-list ACL_IN extended permit ip any any
The following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
hostname(config)# access-list ACL_IN extended permit ip any any
If you want to restrict access to only some hosts, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
The following access list restricts all hosts (on the interface to which you apply the access list) from
accessing a website at address 209.165.201.29. All other traffic is allowed.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
13-8
"Protocols and Applications" section on page
13-14). The ICMP inspection engine treats ICMP sessions as
"Adding an ICMP Type Object Group" section on page 13-14
Chapter 13 Identifying Traffic with Access Lists
E-11.
"TCP and UDP Ports" section on page E-11. DNS,
"Adding an ICMP
for a list of ICMP types.
OL-20748-01