Specifications
3-621
Cisco Wide Area Application Services Command Reference
OL-16451-01
Chapter 3 CLI Commands
(config-ext-nacl) deny
Defaults An access list drops all packets unless you configure at least one permit entry.
Command Modes extended ACL configuration mode
Device Modes application-accelerator
central-manager
Usage Guidelines To create an entry, use a deny or permit keyword and specify the type of packets that you want the
WAAS device to drop or to accept for further processing. By default, an access list denies everything
because the list is terminated by an implicit deny any entry. You must include at least one permit entry
to create a valid access list.
To allow connections from a specific host, use the permit host source-ip option and replace source-ip
with the IP address of the specific host.
To allow connections from a specific network, use the permit host source-ip wildcard option. Replace
source-ip with a network ID or the IP address of any host on the network that you want to specify.
Replace wildcard with the dotted decimal notation for a mask that is the reverse of a subnet mask, where
wildcard (Optional) Wildcard. The notation is in 4-digit, dotted-decimal format. Tge
bits to match are identified by a digital value of 0; the bits to ignore are
identified by a 1.
For extended IP ACLs, the wildcard parameter of the ip access-list
command is always optional. If the host keyword is specified for a extended
IP ACL, then the wildcard parameter is not allowed.
host source-ip Specifies to match the following IP address.
any Specifies to match any IP address.
dest-ip Specifies destination IP address. The number of the network or host to
which the packet is being sent, specified as a 32-bit quantity in 4-part dotted
decimal format (for example, 0.0.0.0).
operator port (Optional) Operator to use with specified ports, where lt = less than, gt =
greater than, eq = equal to, neq = not equal to, and range = an inclusive
range.
The port value is a number (0–65535) or a keyword; two port numbers are
required with the range keyword. See the “Usage Guidelines” section for a
listing of the UDP and TCP keywords.
established (Optional) Specifies to match TCP packets with the acknowledgment or
reset bits set.
icmp-type (Optional) Match with ICMP message type (0–255).
code (Optional) Code type is 0–255.
icmp-msg (Optional) Match a combination of ICMP message type and code types, as
expressed by the keywords shown in the “Usage Guidelines” section.