ACCESS CONTROL LiSTS

Hi,

I am a beginer in networking and trying to understand standard ACL how to apply it to interfaces. I have no problem with the statement for denying a group of subnets. I have problem with applying the permit statement wildcard mask. I would like to have more examples and explanation for the same..

Reply to
poornima_k
Loading thread data ...

You may wish to investigate Cisco's Quick Learning Module:

Simplifying Access Control Policies

Learn two methods for simplifying the creation and management of access control lists ( ACLs ) on your Cisco ASA 5500 Series Adaptive Security Appliance.

After a brief explanation of the two methods, object grouping and using commands to edit ACLs, watch a step-by-step demonstration of object group configuration.

formatting link
Hope this helps.

Brad Reese Cisco Power Supply Headquarters

formatting link

Reply to
www.BradReese.Com

formatting link
Hmmm.

As I understand it "object grouping" applies only to Pix and derrivatives (I assume them to be) such a the ASA range.

If you are working on routers/switches running IOS it might be better to look for a different tutorial since a lot of this one won't apply. Worse, I would imagine that the ASA uses Pix style Subnet-mask wildcards as opposed to the IOS inverse ones. (I don't speak Pix really and had to look that up!)

formatting link
list support page

formatting link
Can't spot anything really nice but these may assist.

Reply to
Bod43

"If you are working on routers/switches running IOS it might be better to look for a different tutorial since a lot of this one won't apply."

------------------------------------------------

Sorry, my bad - Brad Reese

CTT-TAC: IP Routing Access Lists

Learn how to configure access lists in an IP routing environment. You will also do hands-on Configuration Labs, and a Challenge Lab to test your troubleshooting knowledge.

formatting link
Standard Access Lists

To create a standard access list, use one of the following commands in the global configuration mode.

( global configuration mode: The EXEC mode in the Cisco IOS software in which you can enter configuration commands and access all configuration sub modes. )

Command

access-list access_list_# {deny|permit} source [source_wildcard] [log]

Purpose

Define a standard IP access list using a source IP address and wildcard mask.

-------------------------------------------------

Command

access-list access_list_# {deny|permit} any [log]

Purpose

Define a standard IP access list using an abbreviation for the source and source mask of 0.0.0.0 255.255.255.255

-------------------------------------------------

The wildcard mask is essentially the inverse of the regular mask.

For example, if we wanted to permit any IP packets that are sourced from subnet 172.16.10.0 255.255.255.0, we could create the following access list:

access-list 1 permit 172.16.10.0 0.0.0.255 Notice that the wildcard mask in the access list is the inverse of the mask for the subnet. In a wildcard mask, the "zero" bits are important and the "one" bits are ignored. In the above access list, any IP packet sourced from 172.16.10.x would match the access list and, therefore, be permitted.

A packet sourced from any other source would be denied, because of the implicit "deny all" at the end of the access list.

If we wanted to permit only IP packets sourced from the specific host address 172.16.10.177 255.255.255.255, the access list would look like this:

access list 1 permit 172.16.10.177 0.0.0.0 Note: If you omit the wildcard mask from an associated IP host address in an access list, 0.0.0.0 is assumed to be the mask.

The log keyword at the end of the command allows the Cisco IOS software to provide logging messages about packets that are permitted or denied by a standard access list.

The first packet that matches the access list will cause an informational console message to appear immediately. Subsequent packets are collected over five-minute intervals before they are displayed or logged.

-------------------------------------------------

CTT-TAC: Introduction to Routing and Access Lists

Introduces the routing protocols: Routing Information Protocol (RIP) and Interior Gateway Routing Protocol (IGRP), and teaches the basics of access lists. It is accompanied by a series of labs designed to enhance the concepts being explained.

IP Access Lists Introduction Creating Access Lists with Numbers Creating Access Lists with Names Creating Time-Based Access Lists Commenting Access Lists Access-List Applications Controlling Content of Routing Updates Determining Address Translation with Dynamic NAT

formatting link

-------------------------------------------------

Once more, sorry my bad.

Brad Reese Cisco Repair

formatting link

Reply to
www.BradReese.Com

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.