Lab Activity 9.3.4: Configuring standard and extended IP access lists

Sample Network: You may wish to configure the network below. You will first need to configure the network for dynamic or static routing. (Notice that the IP addresses may have changed from the previous example.)

Example: Permitting only a specific host from the 205.7.5.0 network onto the 192.5.5.0 network

LabA (config)# access-list 10 permit host 205.7.5.11

LabA (config)# inter e 0
LabA (config-if)# ip access-group 10 out

Example: Denying a specific host from the 205.7.5.0 network onto the 192.5.5.0 network

LabA (config)# access-list 10 deny 205.7.5.11
LabA (config)# access-list 10 permit 0.0.0.0 255.255.255.255
{Or LabA(config)# access-list 10 permit any}

LabA (config)# inter e 0
LabA (config-if)# ip access-group 10 out

Example: Permitting only hosts from the 210.93.105.0 network onto the 192.5.5.0 network

LabA (config)# access-list 10 permit 210.93.105.0
{Or LabA (config)# access-list 10 permit 210.93.105.0 0.0.0.255}

LabA (config)# inter e 0
LabA (config-if)# ip access-group 10 out


Example: An access list that will permit telnets destined for the host 223.8.151.10 from the 195.5.5.0, but will prohibit all other telnets from the 195.5.5.0 network into the 223.8.151.0 network. All other traffic is allowed to enter the 223.8.151.0 network.

LabA (config)# access-list 101 permit tcp 192.5.5.0 0.0.0.255 223.8.151.10 0.0.0.0 eq 23
LabA (config)# access-list 101 deny tcp 192.5.5.0 0.0.0.255 223.8.151.0 0.0.0.255 eq 23
LabA (config)# access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

LabA (config)# interface e 0
LabA (config-if)# ip access-group 101 in

Using the host keyword same as the wildcard mask 0.0.0.0:

LabA (config)# access-list 101 permit tcp 192.5.5.0 0.0.0.255 223.8.151.10 0.0.0.0 eq 23
replaced by
LabA (config)# access-list 101 permit tcp 192.5.5.0 0.0.0.255 host 223.8.151.10 eq 23

Using the any keyword is the same as the using 0.0.0.0 255.255.255.255

LabA (config)# access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
replaced by
LabA (config)# access-list 101 permit ip any any

Note: Remember there is an implicit deny any (everything) at the end of an access list.