Standard ACL

Internet

f0/0
NAT

Classification

ip nat inside source list 1 interface f0/0 overload

access-list 1 permit
access-list 1 permit

10.0.0.0
20.0.0.0

0.255.255.255
0.255.255.255

f0/1
access-list 2 permit
access-list 2 deny

DS1 0.255.255.255
Filtering
10.0.0.0
20.0.0.0 0.255.255.255

interface f0/1
ip access-group 2 out

10.0.0.0/8

20.0.0.0/8

Standard ACL

Internet

f0/0
172.16.1.1

NAT

20.0.0. 0000 0001

20.0.0. 0000 0010
20.0.0. 0000 0011
0.0.0. 0000 0011

ip access-group 1 out
Wildcard Mask
access-list
DS11 permit 10.0.0.0 0.255.255.255
10.0.0.0
0.255.255.255
access-list 1 deny
permit 20.0.0.1
20.0.0.0 0.0.0.0
access-list 1 deny
20.0.0.1 0.0.0.0
20.0.0.2
access-list 1 deny
20.0.0.3 0.0.0.0
access-list
1
permit
access-list 1 permit 10.0.0.0
20.0.0.0 0.255.255.255
0.255.255.255
access-list 1 deny
20.0.0.1 0.0.0.0
20.0.0.0 0.255.255.255
access-list 1 permit 10.0.0.0
access-list 1 deny
20.0.0.1 0.0.0.3
10.0.0.0/8
20.0.0.0/8
access-list 1 permit
20.0.0.0 0.255.255.255
20.0.0.1/8

Permit
Access
Server

Standard ACL

Internet
20.0.0.
20.0.0.
20.0.0.
20.0.0.
20.0.0.
20.0.0.
20.0.0.

f0/0
NAT

access-list 1
access-list 1
access-list 1
access-list 1
access-list
DS11
access-list 1
access-list 1
access-list 1
access-list 1

0000
0000
0000
0000
0000
0000
0000

0001
0010
0011
0100
0101
0110
0111

0.0.0. 0000 0111

permit
deny
deny
deny
deny
deny
deny
deny
permit

10.0.0.0
20.0.0.1
20.0.0.2
20.0.0.3
20.0.0.4
20.0.0.5
20.0.0.6
20.0.0.7
20.0.0.0

0.255.255.255
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.255.255.255

access-list 1 permit 10.0.0.0

access-list 1 deny
20.0.0.1
10.0.0.0access-list 1 permit20.0.0.0
20.0.0.0

0.255.255.255
0.0.0.7
0.255.255.255

Standard ACL

Internet

20.0.0.
20.0.0.
20.0.0.
20.0.0.

f0/0
NAT

0000
0000
0000
0000

0001
0010
0011
0100

0.0.0. 0000 0011

access-list 1
access-list 1
access-list 1
access-list 1
access-list
DS11
access-list 1

permit
deny
deny
deny
deny
permit

10.0.0.0
20.0.0.1
20.0.0.2
20.0.0.3
20.0.0.4
20.0.0.0

0.255.255.255
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.255.255.255

access-list
access-list
access-list
access-list

permit
deny
deny
permit

10.0.0.0
20.0.0.1
20.0.0.4
20.0.0.0

0.255.255.255
0.0.0.3
0.0.0.0
0.255.255.255

10.0.0.0

1
1
1
1

20.0.0.0

Standard ACL

Internet

20.0.0.
20.0.0.
20.0.0.
20.0.0.

f0/0
NAT

access-list 1
access-list 1
access-list 1
access-list 1
access-list
DS11
access-list 1

0100
0100
0100
0100

0000
0001
0010
0011

0.0.0. 0000 0011

permit
deny
deny
deny
deny
permit

10.0.0.0
20.0.0.64
20.0.0.65
20.0.0.66
20.0.0.67
20.0.0.0

0.255.255.255
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.255.255.255

access-list 1 permit
access-list 1 deny
access-list 1 permit

10.0.0.0
20.0.0.64
20.0.0.0

0.255.255.255
0.0.0.3
0.255.255.255

10.0.0.0

20.0.0.0

Standard ACL

Internet

f0/0
NAT
in

Access
Internet

out
access-list 1 permit
DS11 permit
access-list
access-list 1 deny

10.0.0.0
0.255.255.255
20.0.0.1
0.0.0.0
0.0.0.0 255.255.255.255

access-list 1 permit
access-list 1 permit
access-list 1 deny

10.0.0.0
0.255.255.255
host 20.0.0.1
any

10.0.0.0/8

20.0.0.0/8
20.0.0.1/8

Standard ACL

Internet

Permit
Deny
Internet
f0/0
access-list 1 deny 20.0.0.1 0.0.0.0
NAT
access-list 1 permit any
line vty1 0in4
ip access-group
access-class 1 in

DS1

10.0.0.0

Deny
telnet

20.0.0.1

Standard vs Extended ACL

1300-1999
1-99
Standard ACL

access-list 1

deny

Extended ACL

access-list 100 deny

100-199
2000-2699

20.0.0.1 0.0.0.0
tcp 20.0.0.1 0.0.0.0 any eq 80
Protocol

S.IP

tcp
udp
icmp
ip (tcp, udp, icmp)
eigrp
ospf

D.IP D.Port

R(config)# access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1000-1099>
IPX SAP access list
<1100-1199>
Extended 48-bit MAC address access list
<1200-1299>
IPX summary address access list
<1300-1999>
IP standard access list (expanded range)
<200-299>
Protocol type-code access list
<2000-2699>
IP extended access list (expanded range)
<300-399>
DECnet access list
<600-699>
Appletalk access list
<700-799>
48-bit MAC address access list
<800-899>
IPX standard access list
<900-999>
IPX extended access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit
Simple rate-limit specific access list
R(config)#

Extended ACL

DNS
TFTP 172.16.1.1
HTTP
HTTPs

access-list
access-list
53
access-list
69
access-list
80
access-list
443
access-list

Internet

NAT

100 deny
100 deny

icmp 10.0.0.0 0.255.255.255 host 172.16.1.1

tcp 10.0.0.0 0.255.255.255 host 172.16.1.1 eq

100 deny

udp

DS10.255.255.255 host 172.16.1.1 eq

10.0.0.0

100 deny

tcp

10.0.0.0 0.255.255.255 host 172.16.1.1 eq

100 deny

tcp

10.0.0.0 0.255.255.255 host 172.16.1.1 eq

100 permit ip
10.0.0.0/8

10.0.0.0 0.255.255.255 any

20.0.0.0/8

Extended ACL

Internet

DNS
TFTP 172.16.1.1
HTTP
HTTPs

access-list
access-list
access-list
access-list
access-list
443
access-list

100
100
100
100
100

permit
permit
permit
permit
permit

100 deny

icmp
tcp
tcp
udp
tcp

20.0.0.0
20.0.0.0
20.0.0.0
20.0.0.0
20.0.0.0

ip

any

10.0.0.0/8

NAT

0.255.255.255
0.255.255.255
DS1
0.255.255.255
0.255.255.255
0.255.255.255

any
any
any
any
host 172.16.1.1
any

20.0.0.0/8

eq 80
eq 443
eq 53
range 53

Extended ACL

Internet

DNS
TFTP 172.16.1.1
HTTP
HTTPs

access-list 100 deny

ip
access-list 100 permit ip
access-list 100 permit ip

NAT

10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255

10.0.0.0 0.255.255.255 host 172.16.1.1
10.0.0.0 0.255.255.255 any
DS1

10.0.0.0/8

20.0.0.0/8

Extended ACL

Internet

DNS
TFTP 172.16.1.1
HTTP
HTTPs

access-list 100 deny

ip
access-list 100 permit ip
access-list 100 permit ip

NAT

20.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

20.0.0.0 0.255.255.255 host 172.16.1.1
20.0.0.0 0.255.255.255 any
DS1

10.0.0.0/8

20.0.0.0/8

Extended ACL

Internet

DNS
TFTP 172.16.1.1
HTTP
172.16.1.2
HTTPs

access-list
23
access-list
23
access-list
23
access-list
23
access-list

access-list 1 permit 20.0.0.1

0.0.0.0
line vty 0 4
access-class 1 in
NAT
192.168.1.1

100 permit tcp

20.0.0.1 0.0.0.0

host 172.16.1.2

eq

100 permit tcp

20.0.0.1 0.0.0.0

host 192.168.1.1

eq

100 deny

tcp

any

host 172.16.1.2

eq

100 deny

tcp

any

host 192.168.1.1

eq

ip

any

100 permit

10.0.0.0/8

DS1

any

20.0.0.0/8
20.0.0.1/8

Named-ACL

R(config)# access-list 1 permit 20.0.0.0 0.255.255.255

R(config)# ip access-list standard ABC
R(config-std-nacl)# permit

20.0.0.0 0.255.255.255

R(config)# ip access-list extended ABC

R(config-ext-nacl)# permit tcp

20.0.0.0 0.255.255.255 host 172.16.1.1 eq 23

Named-ACL

R(config)#
R(config)#
R(config)#

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 10.0.3.0 0.0.0.255

R(config)# no access-list 1 permit 10.0.3.0 0.0.0.255

R(config)# ip access-list standard abc
R(config-std-nacl)#
permit 10.0.1.0 0.0.0.255
R(config-std-nacl)#
permit 10.0.2.0 0.0.0.255
R(config-std-nacl)#
permit 10.0.3.0 0.0.0.255
R(config)# ip access-list standard abc
R(config-std-nacl)# no 30

Named-ACL
R(config-if)# ip access-group abc in/out
R(config)# ip access-list standard abc
R(config-std-nacl)#
10
permit 10.0.1.0 0.0.0.255
R(config-std-nacl)#
20
permit 10.0.2.0 0.0.0.255
R(config-std-nacl)#
30
permit 10.0.3.0 0.0.0.255
R(config-std-nacl)#

15

permit 10.0.4.0 0.0.0.255

R(config-std-nacl)#
R(config-std-nacl)#

35

permit 10.0.5.0 0.0.0.255

permit 10.0.6.0 0.0.0.255

R# show ip access-lists
Standard IP access list abc
10 permit 10.0.1.0,
20 permit 10.0.4.0,
15
10.0.2.0,
30 permit 10.0.2.0,
20
10.0.3.0,
30 permit 10.0.3.0,
35 permit 10.0.5.0,
45 permit 10.0.6.0,

wildcard
wildcard
wildcard
wildcard
wildcard
wildcard

bits
bits
bits
bits
bits
bits

0.0.0.255
0.0.0.255
0.0.0.255
0.0.0.255
0.0.0.255
0.0.0.255

Named-ACL

R(config)#
R(config)#
R(config)#

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 10.0.3.0 0.0.0.255

R(config)# ip access-list standard 1

R(config-std-nacl)# no 30 , 20 , 10