Cisco Catalyst 6500 Series Configuration Manual page 195
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
Use an operator to match port numbers used by the source or destination. The permitted operators
are as follows:
–
–
–
–
–
For a list of permitted keywords and well-known port assignments, see the
section on page
definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
For information about logging options that you can add to the end of the ACE, see the
Extended Access Control List Activity" section on page
See the following example:
The following ACL restricts all hosts (on the interface to which you apply the ACL) from accessing
a website at address 209.165.201.29. All other traffic is allowed.
FWSM/contexta(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq
www
FWSM/contexta(config)# access-list ACL_IN extended permit ip any any
Add an ACE for ICMP by entering the following command:
•
FWSM/contexta(config)# access-list acl_name [extended] {deny | permit} icmp
source_address mask dest_address mask [ icmp_type ]
Enter host before the IP address to specify a single address. In this case, do not enter a mask. Enter
any instead of the address and mask to specify any address.
Because ICMP is a connectionless protocol, you either need ACLs to allow ICMP in both directions
(by applying ACLs to the source and destination interfaces), or you need to enable the ICMP
inspection engine (see the
engine treats ICMP sessions as stateful connections.
To control ping, specify echo-reply (0) (FWSM to host) or echo (8) (host to FWSM). See the
Types" section on page D-9
For information about logging options that you can add to the end of the ACE, see the
Extended Access Control List Activity" section on page
To apply an extended ACL to the inbound or outbound direction of an interface, enter the following
Step 2
command:
FWSM/contexta(config)# access-group acl_name {in | out} interface interface_name
You can apply one ACL of each type (extended and EtherType) to both directions of the interface. See
the
"Inbound and Outbound Access Control Lists" section on page 10-10
ACL directions.
For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you
want traffic to pass in both directions. For example, you can allow BGP in an ACL in transparent mode,
and you need to apply the ACL to both interfaces.
OL-6392-01
lt—less than
gt—greater than
eq—equal to
neq—not equal to
range—an inclusive range of values. When you use this operator, specify two port numbers, for
example:
range 100 200
D-6. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one
"ICMP Inspection Engine" section on page
for a list of ICMP types.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Adding an Extended Access Control List
"TCP and UDP Ports"
10-26.
13-10). The ICMP inspection
10-26.
for more information about
"Logging
"ICMP
"Logging
10-15
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco Catalyst 6500 Series
Related Products for Cisco Catalyst 6500 Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E
- Cisco Catalyst 6500-E Series