I've been a long time user of PIX 501 units running IOS 6.x. We have a tonne of them here, and a cupboard of spares. When it was time to update our adsl backup lines i thought I would get a cisco 857 in order to match all the black boxes. What a surpise IOS 12.x is ! ! (by surprise I mean a kick in the head when you thought you were just getting somewhere with Cisco).
So, I'm back to newbie status once more.
Can anyone tell me what the correct command line would be to create an access list opens port 9999 and directs it to an internal IP of
192.168.1.1 port 9999 BUT which limits access to only one external IP (ie only allows my boss's home IP access to port 9999) ? I can set the access-list but can't quite get the IP restriction working.
basically, Cisco use at least 3 "main" OS's in their H/W, and several minor other OS's. IOS is the main Cisco OS used these days, and can be found in all the main Cisco H/W. CATOS is a different form of OS that was used on a lot of the older Cisco Etherswitch boxes, it is very good at doing SWITCHING work. While it is still maintained and supported, it seems to have little development work going on these days and most recent boxes now run IOS instead. CATOS S/W is still available for some (but not all) product lines. The PIX software is 100% unique to the PIX product line. These are the 3 main S/W series, however there are even older OS's used as well,, EG CBOS for the older 600 series devices, and I can't remember the S/W name used in the 1900 series switches....
Some product lines have specific S/W for them (EG the 3000 series VPN Concentrators), that is found in no other product line. In this case the S/W came with the product when Cisco purchased the product from another vendor.
For ACL's, the main difference that I am aware of between PIX and IOS is the NETWORK MASK field. For PIX, it is specified as a "natural" mask, IE for a class C network you use 255.255.255.0, For IOS, the mask is specified as an INVERSE mask, IE the PIX mask 255.255.255.0 becomes 0.0.0.255 for IOS.
There are many other subtle differences, however the overall concept is quite similar, just that a lot of rules around using those commands have slightly different meanings.
Under IOS, there are several different ranges of ACL numbering - An ACL that is numbered 1 - 99 is a SIMPLE IP ACL that specifies just ONE IP address, IE it cannot be used to cover RANGES of addresses, nor specify PORTS. An ACL that is numbered 100 - 199 is an EXTENDED IP ACL that can specify ranges of addresses.and include PORTS. There are also specific numbers for other functions such as the
700-799 range for MAC (IE for NIC MAC address) ACL's, and another range for NETWARE ACL's etc. Then there are also NAMED ACL's that can be used as Extended IP ACL's. There was a good reference on the Cisco Site for all the possible permutations, but I don't have that handy right now.
These days I normally write everything as an Extended IP ACL (100 -
199) as that covers just about everything we usually need.
So in your case an ACL like this - access-list 101 permit host 1.2.3.4 host 4.5.6.7 eq 1234 would allow port 1234 between the 2 IP addressees listed, while the ACL - access-list 101 permit 1.2.3.0 0.0.0.127 host 4.5.6.7 eq 1234 would allow port 1234 between any address within the range of 1.2.3.1 to 1.2.3.127 and just ONE host. Also names can be substituted for Well Known ports (EG: 23 = telnet).
I hope this helps...............................pk.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.