The process of creating an ACL is done creating the list and then linking them to an incoming or outgoing interface.
Standard ACL Configuration
Router (config) # access-list [1-99] [permit | deny] [source address] [wildcard mask]
Where:
Identifies the range 1-99 and the list.
Permit | deny indicates whether this entry will allow or block traffic from the specified address.
Source address identifies the source IP address.
Joker or wildcard mask identifies the bits of the address field will be checked.
The default mask is 0.0.0.0 (coincidence of all the bits).
Association of the list to an interface
Router (config-if) # ip access-group [No access list] [in | out]
Where:
Access list number indicates the number of access list to be applied to that interface.
In | out selected if the access list is applied as an input filter or output.
Example of a standard ACL to deny a network:
Router # configure terminal
Router (config) # access-list 10 deny 192.168.1.0 0.0.0.0
Router (config) # access-list 10 permit any
Router (config) # interface serial 0
Router (config-if) # ip access-group 10 in
It has refused to host 192.168.1.0 and then been allowed to any source,
Subsequently joined the ACL to the interface Serial 0.
Extended ACL Configuration
The process of configuring an extended IP ACL is as follows:
Router (config) # access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask] [destination address] [destination mask] [port] [establisehed] [log]
100-199 identifies the range and number of list
Permit | deny: indicates whether the entry permit or block the specified address.
Protocol: eg IP, TCP, UDP, ICMP
Source and destination address: IP addresses identify the source and destination.
wildcard masks: the 0 indicate the positions must match, and one of the “do not matter.”
Port option) can be for example: lt (less than), gt (greater than), eq (equal), or neq (other than) and a port number corresponding protocol.
Establisehed: (optional) TCP is used only for input. This allows him to pass TCP Rafic if the package uses an already established connection (eg having a set ACK bit)
Log: (optional) Send a log message to the console to a specified syslog server.
Some of the most well-known port numbers:
20 FTP Data
FTP 21
Telnet 23
SMTP 25
TFTP 69
53 DNS
Association of the list to an interface
Router (config-if) # ip access-group [No access list] [in | out]
Where:
Access list number indicates the number of access list to be applied to that interface.
In | out selected if the access list is applied as an input filter or output.
Example of an Extended ACL denying a host to port 80 of a network:
Router (config) # access-list 120 deny tcp host 204.204.10.1 eq 80 Any
Router (config) # access-list 120 ip permit Any Any
Router (config) # interface serial 1
Router (config-if) # ip access-group 120 in
It has refused to host 204.204.10.1, (identified by the abbreviation “host”) to port 80 from any destination network (using the term any). Then you can all IP traffic. The ACL was associated with a serial interface as a starter.
Applying an ACL to the line telnet
To avoid unwanted intrusions Telnet connections can create a
standard access list and associate it to the VTY line. The creation process takes place as a standard ACL denying or allowing a source to that interface. The way to associate the ACL to the telnet line is as follows:
router (config) # line vty 0 4
router (config, line) # access-class [List no access] [in | out]
How to remove access lists
Since the interface where applied so the list:
Router (config-if) # no ip access-group [List no access]
From global mode delete the ACL
router (config) # no access-list [List no access]