(For IP traffic, no ports)
access-list
access_list_
name [
line
line_number ]
extended
{
deny |
permit }
{
protocol |
object-group
prot_grp_id }
{
source_address mask |
object
nw_obj_id |
object-group
nw_grp_id }
{
dest_address mask |
object
nw_obj_id |
object-group
nw_grp_id }
[
log [[
level ] [
interval
secs ] |
disable |
default ]]
[
inactive |
time-range
time_range_name ]
(For TCP or UDP traffic, with ports)
access-list
access_list_
name [
line
line_number ]
extended
{
deny |
permit }
{
tcp |
udp |
object-group
prot_grp_id }
{
source_address mask |
object
nw_obj_id |
object-group
nw_grp_id }
[
operator
port |
object-group
svc_grp_id ]
{
dest_address mask |
object
nw_obj_id |
object-group
nw_grp_id }
[
operator
port |
object-group
svc_grp_id ]
[
log [[
level ] [
interval
secs ] |
disable |
default ]]
[
inactive |
time-range
time_range_name ]
(For ICMP traffic)
access-list
access_list_
name [
line
line_number ]
extended
{
deny |
permit }
icmp {
source_address mask |
object
nw_obj_id |
object-group
nw_grp_id }
{
dest_address mask |
object
nw_obj_id |
object-group
nw_grp_id }
[
icmp_type |
object-group
icmp_grp_id ] [
log [[
level ] [
interval
secs ] |
disable |
default ]] [
inactive |
time-range
time_range_name ]
hostname(config)# access-list ACL_IN extended permit ip any any |
Adds an extended ACE. The line line_number option specifies the line number at which insert the ACE. If you do not specify a line number, the ACE is added to the end of the access list. The line number is not saved in the configuration; it only specifies where to insert the ACE. The deny keyword denies a packet if the conditions are matched. The permit keyword permits a packet if the conditions are matched. Instead of entering the protocol, IP address, or port directly in the command, you can use network objects, or protocol, network, port, or ICMP object groups using the object and object-group keyword. See “Configuring Objects and Groups” section for more information about creating objects. The protocol argument specifies the IP protocol name or number. For example UDP is 17, TCP is 6, and EGP is 47. The source_address specifies the IP address of the network or host from which the packet is being sent. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address. For the TCP and UDP protocols only, the operator port option matches the port numbers used by the source or destination. The permitted operators are as follows:
- lt —less than.
- gt —greater than.
- eq —equal to.
- neq —not equal to.
- range —an inclusive range of values. When you use this operator, specify two port numbers, for example: range 100 200.
The dest_address argument specifies the IP address of the network or host to which the packet is being sent. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address. The icmp_type argument specifies the ICMP type if the protocol is ICMP. The time-range keyword specifies when an access list is activated. See the “Scheduling Extended Access List Activation” section for more information. The inactive keyword disables an ACE. To reenable it, enter the entire ACE without the inactive keyword. This feature enables you to keep a record of an inactive ACE in your configuration to make reenabling easier. For the log keyword, see Chapter20, “Configuring Logging for Access Lists” |