Extended ACL Configuration Mode Commands

Similar documents
Standard ACL Configuration Mode Commands

IP Services Commands. Network Protocols Command Reference, Part 1 P1R-95

Chapter 6 Global CONFIG Commands

IP Services Commands. Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services IP1R-157

Access List Commands

Access List Commands

Access List Commands

A Commands CHAPTER. Commands that are identical to those documented in the Cisco IOS software documentation have been removed from this chapter.

This appendix contains job aids and supplements for the following topics: Extending IP Addressing Job Aids Supplement 1: Addressing Review Supplement

D Commands. Send document comments to This chapter describes the Cisco NX-OS security commands that begin with D.

Object Groups for ACLs

Object Groups for ACLs

Object Groups for ACLs

This appendix contains job aids and supplementary information that cover the following topics:

Addresses, Protocols, and Ports Reference

HP Firewalls and UTM Devices

Chapter 4 Software-Based IP Access Control Lists (ACLs)

Understanding Access Control Lists (ACLs) Semester 2 v3.1

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

Chapter 10 IP Access Lists: Standard

Appendix B Policies and Filters

Teacher s Reference Manual

Cisco WAAS Software Command Summary

Configuring Routes on the ACE

ACL & QoS Configuration Commands

Object Groups for ACLs

Context Based Access Control (CBAC): Introduction and Configuration

Implementing Traffic Filtering with ACLs

Configuring Commonly Used IP ACLs

Creating an IP Access List to Filter IP Options, TCP Flags, or Noncontiguous Ports

Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

Adding an IPv6 Access List

Chapter 6 Global CONFIG Commands

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

7 Filtering and Firewalling

Information about Network Security with ACLs

Cisco IOS Security Command Reference: Commands D to L, Cisco IOS XE Release 3SE (Catalyst 3650 Switches)

CCNA Access List Questions

Firewall Stateful Inspection of ICMP

Minimum is 128 bytes; maximum depends on the interface medium.

TCP, UDP Ports, and ICMP Message Types1

WCCP Configuration Mode Commands

Granular Protocol Inspection

Three interface Router without NAT Cisco IOS Firewall Configuration

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Named ACL Support for Noncontiguous Ports on an Access Control Entry

Addresses, Protocols, and Ports

HP High-End Firewalls

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values,

Table of Contents. Cisco Configuring IP Access Lists

Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports

K2289: Using advanced tcpdump filters

H3C MSR Router Series

IPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories

2002, Cisco Systems, Inc. All rights reserved.

Addresses, Protocols, and Ports

Configuring IP Services

Enabling Remote Access to the ACE

Access Control List Enhancements on the Cisco Series Router

Command Manual Network Protocol. Table of Contents

Reflexive Access List Commands

Cisco Application Control Engine Module Security Configuration Guide

Configuring NAT for IP Address Conservation

Configuring IPv6 ACLs

IP Services Volume Organization

Adding an Extended Access List

IPv4 and IPv6 Commands

Configuring Traffic Interception

Access Rules. Controlling Network Access

VLAN Access Control Lists

Redundancy application group configuration (config-red-app-grp) This command was introduced.

CCNA Discovery 3 Chapter 8 Reading Organizer

TCP/IP Protocol Suite and IP Addressing

Configuring Network Address Translation

IP Access List Entry Sequence Numbering

AutoSecure. Finding Feature Information. Last Updated: January 18, 2012

Configuring Web Cache Services By Using WCCP

IP Access List Overview

GSS Administration and Troubleshooting

Chapter 1 TCP/IP Configuration and Management

Configuring Control Plane Policing

ACL Rule Configuration on the WAP371

Implementing Firewall Technologies

Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values

Global Information Assurance Certification Paper

Configuring Management Access

VLAN Access Control Lists

H3C S5120-HI Switch Series

Configuring Network Security with ACLs

Document ID: Introduction. Prerequisites. Requirements. Components Used. Conventions

Contents. IP addressing configuration commands 1 display ip interface 1 display ip interface brief 3 ip address 5

Managing GSS User Accounts Through a TACACS+ Server

IPv4. Christian Grothoff.

Configuring IP Session Filtering (Reflexive Access Lists)

OER uses the following default value if this command is not configured or if the no form of this command is entered: timer: 300

Advanced Security and Forensic Computing

Study Guide. Using ACLs to Secure Networks

Transcription:

Extended ACL Configuration Mode Commands To create and modify extended access lists on a WAAS device for controlling access to interfaces or applications, use the ip access-list extended global configuration command. To disable an extended access list, use the no form of the command. ip access-list extended {acl-name acl-num} Syntax Description extended acl-name acl-num Enables extended ACL configuration mode. The CLI enters the extended ACL configuration mode in which all subsequent commands apply to the current extended access list. The (config-ext-nacl) prompt appears: WAE(config-ext-nacl)# Access list to which all commands entered from ACL configuration mode apply, using an alphanumeric string of up to 30 characters, beginning with a letter. Access list to which all commands entered from access list configuration mode apply, using a numeric identifier. For extended access lists, the valid range is 100 to 199. Defaults An access list drops all packets unless you configure at least one permit entry. Command Modes Global configuration Device Modes application-accelerator central-manager Usage Guidelines Use access lists to control access to specific applications or interfaces on a WAAS device. An access control list consists of one or more condition entries that specify the kind of packets that the WAAS device will drop or accept for further processing. The WAAS device applies each entry in the order in which it occurs in the access list, which by default is the order in which you configured the entry. The following list contains examples of how ACLs can be used in environments that use WAAS devices: A WAAS device resides on the customer premises and is managed by a service provider, and the service provider wants to secure the device for its management only. A WAAS device is deployed anywhere within the enterprise. As with routers and switches, the administrator wants to limit Telnet, SSH, and WAAS GUI access to the IT source subnets. 3-503

An application layer proxy firewall with a hardened outside interface has no ports exposed. (Hardened means that the interface carefully restricts which ports are available for access, primarily for security reasons. With an outside interface, many types of security attacks are possible.) The WAE's outside address is Internet global, and its inside address is private. The inside interface has an ACL to limit Telnet, SSH, and WAAS GUI access to the device. A WAAS device using WCCP is positioned between a firewall and an Internet router or a subnet off the Internet router. Both the WAAS device and the router must have ACLs. Note ACLs that are defined on a router take precedence over the ACLs that are defined on the WAE. ACLs that are defined on a WAE take precedence over the WAAS application definition policies that are defined on the WAE. Within ACL configuration mode, you can use the editing commands (list, delete, and move) to display the current condition entries, to delete a specific entry, or to change the order in which the entries will be evaluated. To return to global configuration mode, enter exit at the ACL configuration mode prompt. To create an entry, use a deny or permit keyword and specify the type of packets that you want the WAAS device to drop or to accept for further processing. By default, an access list denies everything because the list is terminated by an implicit deny any entry. Therefore, you must include at least one permit entry to create a valid access list. After creating an access list, you can include the access list in an access group using the access-group command, which determines how the access list is applied. You can also apply the access list to a specific application using the appropriate command. A reference to an access list that does not exist is the equivalent of a permit any condition statement. To create an extended access list, enter the ip access-list extended global configuration command. Identify the new or existing access list with a name up to 30 characters long beginning with a letter, or with a number. If you use a number to identify an extended access list, it must be from 100 to 199 Note You must use a standard access list for providing access to the SNMP server or to the TFTP gateway/server. However, you can use either a standard access list or an extended access list for providing access to the WCCP application. To allow connections from a specific host, use the permit host source-ip option and replace source-ip with the IP address of the specific host. To allow connections from a specific network, use the permit host source-ip wildcard option. Replace source-ip with a network ID or the IP address of any host on the network that you want to specify. Replace wildcard with the dotted decimal notation for a mask that is the reverse of a subnet mask, where a 0 indicates a position that must be matched and a 1 indicates a position that does not matter. For instance, the wildcard 0.0.0.255 causes the last eight bits in the source IP address to be ignored. Therefore, the permit 192.168.1.0 0.0.0.255 entry allows access from any host on the 192.168.1.0 network. After you identify the extended access list, the CLI enters the extended ACL configuration mode and all subsequent commands apply to the specified access list. WAE(config)# ip access-list extended testextacl WAE(config-ext-nacl)# 3-504

Examples The following commands create an access list on the WAAS device. You create this access list to allow the WAAS device to accept all web traffic that is redirected to it, but limits host administrative access using SSH: WAE(config)# ip access-list extended testextacl WAE(config-ext-nacl)# permit tcp any any eq www WAE(config-ext-nacl)# permit tcp host 10.1.1.5 any eq ssh WAE(config-ext-nacl)# exit The following commands activate the access list for an interface: WAE(config)# interface gigabitethernet 1/0 WAE(config-if)# ip access-group testextacl in WAE(config-if)# exit The following example shows how this configuration appears when you enter the show running-configuration command:...! interface GigabitEthernet 1/0 ip address 10.1.1.50 255.255.0.0 ip access-group testextacl in exit... ip access-list extended testextacl permit tcp any any eq www permit tcp host 10.1.1.5 any eq ssh exit... Related Commands clear show ip access-list (config-if) ip access-group (config-ext-nacl) deny (config-ext-nacl) delete (config-ext-nacl) list (config-ext-nacl) move (config-ext-nacl) permit 3-505

(config-ext-nacl) delete Chapter 3 (config-ext-nacl) delete To delete a line from the extended ACL, use the delete command. delete line-num Syntax Description line-num Entry at a specific line number in the access list. Command Modes Extended ACL configuration mode Device Modes application-accelerator central-manager Examples The following example deletes line 10 from the extended ACL testextacl: WAE(config)# ip access-list extended testextacl WAE(config-ext-nacl)# delete 10 Related Commands (config-ext-nacl) list (config-ext-nacl) move 3-506

(config-ext-nacl) deny (config-ext-nacl) deny To add a line to an extended access list that specifies the type of packets that you want the WAAS device to drop, use the deny command. To add a condition to the extended ACL, note that the options depend on the chosen protocol. For IP, use the following syntax to add a condition: [insert line-num] deny {gre icmp tcp udp ip proto-num} {source-ip [wildcard] host source-ip any} {dest-ip [wildcard] host dest-ip any} no deny {gre icmp tcp udp ip proto-num} {source-ip [wildcard] host source-ip any} {dest-ip [wildcard] host dest-ip any} For TCP, use the following syntax to add a condition: [insert line-num] deny tcp {source-ip [wildcard] host source-ip any} [operator port [port]] {dest-ip [wildcard] host dest-ip any} [operator port [port]] [established] no deny tcp {source-ip [wildcard] host source-ip any} [operator port [port]] {dest-ip [wildcard] host dest-ip any} [operator port [port]] [established] For UDP, use the following syntax to add a condition: [insert line-num] deny udp {source-ip [wildcard] host source-ip any} [operator port [port]] {dest-ip [wildcard] host dest-ip any} [operator port [port]] no deny udp {source-ip [wildcard] host source-ip any} [operator port [port]] {dest-ip [wildcard] host dest-ip any} [operator port [port]] For ICMP, use the following syntax to add a condition: [insert line-num] deny icmp {source-ip [wildcard] host source-ip any} {dest-ip [wildcard] host dest-ip any} [icmp-type [code] icmp-msg] no deny icmp {source-ip [wildcard] host source-ip any} {dest-ip [wildcard] host dest-ip any} [icmp-type [code] icmp-msg] Syntax Description insert (Optional) Inserts the conditions following the specified line number into the access list. line-num Identifies the entry at a specific line number in the access list. gre Matches packets using the Generic Routing Encapsulation protocol. icmp Matches ICMP packets. tcp Matches packets using the TCP protocol. udp Matches packets using the UDP protocol. ip Matches all IP packets. proto-num (Optional) IP protocol number. source-ip Source IP address. The number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted-decimal format (for example, 0.0.0.0). 3-507

(config-ext-nacl) deny Chapter 3 wildcard host any dest-ip (Optional) Portions of the preceding IP address to match, expressed using 4-digit, dotted-decimal notation. Bits to match are identified by a digital value of 0; bits to ignore are identified by a 1. Note For extended IP ACLs, the wildcard parameter of the ip access-list command is always optional. If the host keyword is specified for a extended IP ACL, then the wildcard parameter is not allowed. Matches the following IP address. Matches any IP address. Destination IP address. The number of the network or host to which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format (for example, 0.0.0.0). operator (Optional) Operator to use with specified ports, where lt = less than, gt = greater than, eq = equal to, neq = not equal to, and range = an inclusive range. port (Optional) Port, using a number (0 65535) or a keyword; 2 port numbers are required with range. See the Usage Guidelines section for a listing of the UDP and TCP keywords. established (Optional) Matches TCP packets with the acknowledgment or reset bits set. icmp-type (Optional) Match with ICMP message type (0 255). code (Optional) Used with icmp-type to further match by ICMP code type (0 255). icmp-msg (Optional) Match combination of ICMP message type and code types, as expressed by the keywords shown in the Usage Guidelines section. Defaults An access list drops all packets unless you configure at least one permit entry. Command Modes Extended ACL configuration mode Device Modes application-accelerator central-manager Usage Guidelines To create an entry, use a deny or permit keyword and specify the type of packets that you want the WAAS device to drop or to accept for further processing. By default, an access list denies everything because the list is terminated by an implicit deny any entry. Therefore, you must include at least one permit entry to create a valid access list. To allow connections from a specific host, use the permit host source-ip option and replace source-ip with the IP address of the specific host. To allow connections from a specific network, use the permit host source-ip wildcard option. Replace source-ip with a network ID or the IP address of any host on the network that you want to specify. Replace wildcard with the dotted decimal notation for a mask that is the reverse of a subnet mask, where a 0 indicates a position that must be matched and a 1 indicates a position that does not matter. For 3-508

(config-ext-nacl) deny instance, the wildcard 0.0.0.255 causes the last eight bits in the source IP address to be ignored. Therefore, the permit 192.168.1.0 0.0.0.255 entry allows access from any host on the 192.168.1.0 network. For extended IP ACLs, the wildcard parameter is required if the host keyword is not specified. Use an extended access list to control connections based on the destination IP address or based on the protocol type. You can combine these conditions with information about the source IP address to create more restrictive condition. Table 3-105 lists the UDP keywords that you can use with extended access lists. Table 3-105 UDP Keywords for Extended Access Lists CLI UDP Keyword Description UDP Port Number bootpc Bootstrap Protocol (BOOTP) client 68 bootps Bootstrap Protocol (BOOTP) server 67 domain Domain Name System (DNS) 53 mms Microsoft Media Server 1755 netbios-dgm NetBIOS datagram service 138 netbios-ns NetBIOS name service 137 netbios-ss NetBIOS session service 139 nfs Network File System service 2049 ntp Network Time Protocol 123 snmp Simple Network Management Protocol 161 snmptrap SNMP traps 162 tacacs Terminal Access Controller Access Control 49 System tftp Trivial File Transfer Protocol 69 wccp Web Cache Communication Protocol 2048 Table 3-106 lists the TCP keywords that you can use with extended access lists. Table 3-106 TCP Keywords for Extended Access Lists CLI TCP Keyword Description TCP Port Number domain Domain Name System 53 exec Exec (rcp) 512 ftp File Transfer Protocol 21 ftp-data FTP data connections (used infrequently) 20 https Secure HTTP 443 mms Microsoft Media Server 1755 nfs Network File System service 2049 ssh Secure Shell login 22 3-509

(config-ext-nacl) deny Chapter 3 Table 3-106 TCP Keywords for Extended Access Lists (continued) CLI TCP Keyword Description TCP Port Number tacacs Terminal Access Controller Access Control 49 System telnet Telnet 23 www World Wide Web (HTTP) 80 Table 3-107 lists the keywords that you can use to match specific ICMP message types and codes. Table 3-107 Keywords for ICMP Messages administratively-prohibited alternate-address conversion-error dod-host-prohibited dod-net-prohibited echo echo-reply general-parameter-problem host-isolated host-precedence-unreachable host-redirect host-tos-redirect host-tos-unreachable host-unknown host-unreachable information-reply information-request mask-reply mask-request mobile-redirect net-redirect net-tos-redirect net-tos-unreachable net-unreachable network-unknown no-room-for-option option-missing packet-too-big parameter-problem port-unreachable precedence-unreachable protocol-unreachable reassembly-timeout redirect router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request traceroute ttl-exceeded unreachable Examples The following example shows how to create an access list on the WAAS device. You create this access list to allow the WAAS device to accept all web traffic that is redirected to it, but limits host administrative access using SSH: WAE(config)# ip access-list extended testextacl WAE(config-ext-nacl)# permit tcp any any eq www WAE(config-ext-nacl)# deny tcp host 10.1.1.5 any eq ssh WAE(config-ext-nacl)# exit The following example shows how to activate the access list for an interface: WAE(config)# interface gigabitethernet 1/0 WAE(config-if)# ip access-group extended testextacl in WAE(config-if)# exit The following example shows how this configuration appears when you enter the show running-configuration command:...! 3-510

(config-ext-nacl) deny interface GigabitEthernet 1/0 ip address 10.1.1.50 255.255.0.0 ip access-group extended testextacl in exit... ip access-list extended testextacl permit tcp any any eq www permit tcp host 10.1.1.5 any eq ssh exit... Related Commands (config-ext-nacl) delete (config-ext-nacl) list (config-ext-nacl) move (config-ext-nacl) permit 3-511

(config-ext-nacl) exit Chapter 3 (config-ext-nacl) exit To terminate extended ACL configuration mode and return to the global configuration mode, use the exit command. exit Syntax Description This command has no arguments or keywords. Defaults No default behavior or values Command Modes All modes Device Modes application-accelerator central-manager Examples The following example terminates extended ACL configuration mode and returns to global configuration mode: WAE(config-ext-nacl)# exit WAE(config)# 3-512

(config-ext-nacl) list (config-ext-nacl) list To display a list of specified entries within the extended ACL, use the list command. list [start-line-num [end-line-num]] Syntax Description start-line-num end-line-num (Optional) Line number from which the list begins. (Optional) Last line number in the list. Command Modes Extended ACL configuration mode Device Modes application-accelerator central-manager Examples The following example shows how to display a list of specified entries within the extended ACL: WAE(config)# ip access-list extended testextacl WAE(config-ext-nacl)# list 25 50 Related Commands (config-ext-nacl) delete (config-ext-nacl) move 3-513

(config-ext-nacl) move Chapter 3 (config-ext-nacl) move To move a line to a new position within the extended ACL, use the move command. move old-line-num new-line-num Syntax Description old-line-num new-line-num Line number of the entry to move. New position of the entry. The existing entry is moved to the following position in the access list. Command Modes Extended ACL configuration mode Device Modes application-accelerator central-manager Examples The following example shows how to move a line to a new position within the extended ACL: WAE(config)# ip access-list extended testextacl WAE(config-ext-nacl)# move 25 30 Related Commands (config-ext-nacl) delete (config-ext-nacl) list 3-514

(config-ext-nacl) permit (config-ext-nacl) permit To add a line to an extended access-list that specifies the type of packets that you want the WAAS device to accept for further processing, use the permit command. To add a condition to the extended ACL, note that the options depend on the chosen protocol. For IP, use the following syntax to add a condition: [insert line-num] permit {gre icmp tcp udp ip proto-num} {source-ip [wildcard] host source-ip any} {dest-ip [wildcard] host dest-ip any} no permit {gre icmp tcp udp ip proto-num} {source-ip [wildcard] host source-ip any} {dest-ip [wildcard] host dest-ip any} For TCP, use the following syntax to add a condition: [insert line-num] permit tcp {source-ip [wildcard] host source-ip any} [operator port [port]] {dest-ip [wildcard] host dest-ip any} [operator port [port]] [established] no permit tcp {source-ip [wildcard] host source-ip any} [operator port [port]] {dest-ip [wildcard] host dest-ip any} [operator port [port]] [established] For UDP, use the following syntax to add a condition: [insert line-num] permit udp {source-ip [wildcard] host source-ip any} [operator port [port]] {dest-ip [wildcard] host dest-ip any} [operator port [port]] no permit udp {source-ip [wildcard] host source-ip any} [operator port [port]] {dest-ip [wildcard] host dest-ip any} [operator port [port]] For ICMP, use the following syntax to add a condition: [insert line-num] permit icmp {source-ip [wildcard] host source-ip any} {dest-ip [wildcard] host dest-ip any} [icmp-type [code] icmp-msg] no permit icmp {source-ip [wildcard] host source-ip any} {dest-ip [wildcard] host dest-ip any} [icmp-type [code] icmp-msg] Syntax Description insert (Optional) Inserts the conditions following the specified line number into the access list. line-num Identifies the entry at a specific line number in the access list. gre Matches packets using the Generic Routing Encapsulation protocol. icmp Matches ICMP packets. tcp Matches packets using the TCP protocol. udp Matches packets using the UDP protocol. ip Matches all IP packets. proto-num (Optional) IP protocol number. source-ip Source IP address. The number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted-decimal format (for example, 0.0.0.0). 3-515

(config-ext-nacl) permit Chapter 3 wildcard host any dest-ip (Optional) Portions of the preceding IP address to match, expressed using 4-digit, dotted-decimal notation. Bits to match are identified by a digital value of 0; bits to ignore are identified by a 1. Note For extended IP ACLs, the wildcard parameter of the ip access-list command is always optional. If the host keyword is specified for a extended IP ACL, then the wildcard parameter is not allowed. Matches the following IP address. Matches any IP address. Destination IP address. The number of the network or host to which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format (for example, 0.0.0.0). operator (Optional) Operator to use with specified ports, where lt = less than, gt = greater than, eq = equal to, neq = not equal to, and range = an inclusive range. port (Optional) Port, using a number (0 65535) or a keyword; 2 port numbers are required with range. See the Usage Guidelines section for a listing of the UDP and TCP keywords. established (Optional) Matches TCP packets with the acknowledgment or reset bits set. icmp-type (Optional) Match with ICMP message type (0 255). code (Optional) Used with icmp-type to further match by ICMP code type (0 255). icmp-msg (Optional) Match combination of ICMP message type and code types, as expressed by the keywords shown in the Usage Guidelines section. Defaults An access list drops all packets unless you configure at least one permit entry. Command Modes Extended ACL configuration mode Device Modes application-accelerator central-manager Usage Guidelines To create an entry, use a deny or permit keyword and specify the type of packets that you want the WAAS device to drop or to accept for further processing. By default, an access list denies everything because the list is terminated by an implicit deny any entry. Therefore, you must include at least one permit entry to create a valid access list. To allow connections from a specific host, use the permit host source-ip option and replace source-ip with the IP address of the specific host. To allow connections from a specific network, use the permit host source-ip wildcard option. Replace source-ip with a network ID or the IP address of any host on the network that you want to specify. Replace wildcard with the dotted decimal notation for a mask that is the reverse of a subnet mask, where a 0 indicates a position that must be matched and a 1 indicates a position that does not matter. For 3-516

(config-ext-nacl) permit instance, the wildcard 0.0.0.255 causes the last eight bits in the source IP address to be ignored. Therefore, the permit 192.168.1.0 0.0.0.255 entry allows access from any host on the 192.168.1.0 network. For extended IP ACLs, the wildcard parameter is required if the host keyword is not specified. Use an extended access list to control connections based on the destination IP address or based on the protocol type. You can combine these conditions with information about the source IP address to create more restrictive condition. Table 3-108 lists the UDP keywords that you can use with extended access lists. Table 3-108 UDP Keywords for Extended Access Lists CLI UDP Keyword Description UDP Port Number bootpc Bootstrap Protocol (BOOTP) client 68 bootps Bootstrap Protocol (BOOTP) server 67 domain Domain Name System (DNS) 53 mms Microsoft Media Server 1755 netbios-dgm NetBIOS datagram service 138 netbios-ns NetBIOS name service 137 netbios-ss NetBIOS session service 139 nfs Network File System service 2049 ntp Network Time Protocol 123 snmp Simple Network Management Protocol 161 snmptrap SNMP traps 162 tacacs Terminal Access Controller Access Control 49 System tftp Trivial File Transfer Protocol 69 wccp Web Cache Communication Protocol 2048 Table 3-109 lists the TCP keywords that you can use with extended access lists. Table 3-109 TCP Keywords for Extended Access Lists CLI TCP Keyword Description TCP Port Number domain Domain Name System 53 exec Exec (rcp) 512 ftp File Transfer Protocol 21 ftp-data FTP data connections (used infrequently) 20 https Secure HTTP 443 mms Microsoft Media Server 1755 nfs Network File System service 2049 ssh Secure Shell login 22 3-517

(config-ext-nacl) permit Chapter 3 Table 3-109 TCP Keywords for Extended Access Lists (continued) CLI TCP Keyword Description TCP Port Number tacacs Terminal Access Controller Access Control 49 System telnet Telnet 23 www World Wide Web (HTTP) 80 Table 3-110 lists the keywords that you can use to match specific ICMP message types and codes. Table 3-110 Keywords for ICMP Messages administratively-prohibited alternate-address conversion-error dod-host-prohibited dod-net-prohibited echo echo-reply general-parameter-problem host-isolated host-precedence-unreachable host-redirect host-tos-redirect host-tos-unreachable host-unknown host-unreachable information-reply information-request mask-reply mask-request mobile-redirect net-redirect net-tos-redirect net-tos-unreachable net-unreachable network-unknown no-room-for-option option-missing packet-too-big parameter-problem port-unreachable precedence-unreachable protocol-unreachable reassembly-timeout redirect router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request traceroute ttl-exceeded unreachable Examples The following example shows how to create an access list on the WAAS device. You create this access list to allow the WAAS device to accept all web traffic that is redirected to it, but limits host administrative access using SSH: WAE(config)# ip access-list extended testextacl WAE(config-ext-nacl)# permit tcp any any eq www WAE(config-ext-nacl)# permit tcp host 10.1.1.5 any eq ssh WAE(config-ext-nacl)# exit The following example shows how to activate the access list for an interface: WAE(config)# interface gigabitethernet 1/0 WAE(config-if)# ip access-group example in WAE(config-if)# exit The following example shows how this configuration appears when you enter the show running-configuration command:...! 3-518

(config-ext-nacl) permit interface GigabitEthernet 1/0 ip address 10.1.1.50 255.255.0.0 ip access-group testextacl in exit... ip access-list extended testextacl permit tcp any any eq www permit tcp host 10.1.1.5 any eq ssh exit... Related Commands (config-ext-nacl) delete (config-ext-nacl) deny (config-ext-nacl) list (config-ext-nacl) move 3-519

(config-ext-nacl) permit Chapter 3 3-520

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback