PDA

Click to See Complete Forum and Search --> : Using Access List

Nitin Gupte
03-22-1999, 09:31 AM
Hi ,

I have a Cisco2522 access router and in my network which is used for the remote access.
The ethernet port is connected on my local area network which has some Micom multiplexers
also on the Network.The Micom multiplexer has a wan port module and an inbuilt router in it.
At present all of them who dial in to the Access router can access the entire network including
the Wan through Micom.I need to put an access list on my access router in such a way that the
people who dial in the access router can only access the Local network and not the Wan Network.

Can any one of you guide me in doing this.

Thanks & Regards
Nitin
LanAlyzer
03-29-1999, 10:08 AM
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.

access-class access-list-number {in | out}
no access-class access-list-number {in | out}
access-list-number Number of an access list. This is a decimal number from 1 to 99.
in Restricts incoming connections between a particular Cisco device and the addresses in the access list.
out Restricts outgoing connections between a particular Cisco device and the addresses in the access list.






To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log]
no access-list access-list-number

For ICMP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]

For IGMP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]

For TCP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]

For UDP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]
access-list-number Number of an access list. This is a decimal number from 100 to 199.
dynamic dynamic-name (Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Managing the System" chapter in the Configuration Fundamentals Configuration Guide.
timeout minutes (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Managing the System" chapter in the Configuration Fundamentals Configuration Guide.
deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
protocol Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers described below.
source Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part dotted-decimal format.


Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.


Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.


Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.


Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part dotted-decimal format.


Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.


Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.


Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.


Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name.
tos tos (Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
icmp-type (Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code (Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name.
igmp-type (Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15.
operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.


access-list (standard)
To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.

access-list access-list-number {deny | permit} source [source-wildcard]
no access-list access-list-number
access-list-number Number of an access list. This is a decimal number from 1 to 99.
deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
source Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

Use a 32-bit quantity in four-part dotted-decimal format.


Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

source-wildcard
(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.


Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.



------------
Nitin Gupte at 3/22/99 4:31:17 AM


Hi ,

I have a Cisco2522 access router and in my network which is used for the remote access.
The ethernet port is connected on my local area network which has some Micom multiplexers
also on the Network.The Micom multiplexer has a wan port module and an inbuilt router in it.
At present all of them who dial in to the Access router can access the entire network including
the Wan through Micom.I need to put an access list on my access router in such a way that the
people who dial in the access router can only access the Local network and not the Wan Network.

Can any one of you guide me in doing this.

Thanks & Regards
Nitin
04-18-1999, 03:00 PM
------------
Nitin Gupte at 3/22/99 4:31:17 AM


Hi ,

I have a Cisco2522 access router and in my network which is used for the remote access.
The ethernet port is connected on my local area network which has some Micom multiplexers
also on the Network.The Micom multiplexer has a wan port module and an inbuilt router in it.
At present all of them who dial in to the Access router can access the entire network including
the Wan through Micom.I need to put an access list on my access router in such a way that the
people who dial in the access router can only access the Local network and not the Wan Network.

Can any one of you guide me in doing this.

Thanks & Regards
Nitin