Specifications

Chapter2 Configuring Security Features

Configuring Firewalls

2-6

Cisco 1700 Series Router Software Configuration Guide

78-5407-03

Access Lists

Access lists are configured as standard or extended. A standard access list either

permits or denies passage of packets from a designated source. An extended

access list allows designation of both the destination and the source, and it allows

designation of individual protocols to be permitted or denied passage. An access

list is a series of commands with a common tag to bind them together. The tag is

either a number or a name.

Standard numbered access list commands take the following form:

access-list {1-99} {permit | deny} source-addr [source-mask]

Extended numbered access list commands take the following form:

access-list {100-199} {permit | deny} protocol source-addr [source-mask]

destination-addr [destination-mask]

Named access list commands take the form:

ip access-list {standard | extended} name

A standard named access list command must be followed by subcommands in this

form:

deny {source | source-wildcard | any}

An extended named access list command must be followed by a subcommand in

this form:

{permit | deny} protocol {source-addr[source-mask] | any} {destination-addr

[destination-mask] | any}

A sequence of access list commands bound together with a common name or

number is referred to as an access group. An access group is enabled for an

interface during interface configuration with the command

ip access-group number|name [in | out]

where in | out refers to the direction of travel of the packets being filtered.

When a sequence of access list commands is used, three things must be kept in

mind:

• The order of commands in the sequence is important. A packet will be

operated on by the first command. If there is no match (that is, if neither a

permit nor a deny occurs), the next command operates on the packet, and so

on.