Specifications

ManualsBrandsCisco ManualsComputer equipmentEngine 611

491

492

493

494

495

496

497

498

499

500

3-454

Cisco Wide Area Application Services Command Reference

OL-11817-01

Chapter 3 CLI Commands

(config-ext-nacl) deny

Defaults An access list drops all packets unless you configure at least one permit entry.

Command Modes Extended ACL configuration mode

Device Modes application-accelerator

central-manager

Usage Guidelines To create an entry, use a deny or permit keyword and specify the type of packets that you want the

WAAS device to drop or to accept for further processing. By default, an access list denies everything

because the list is terminated by an implicit deny any entry. Therefore, you must include at least one

permit entry to create a valid access list.

To allow connections from a specific host, use the permit host source-ip option and replace source-ip

with the IP address of the specific host.

wildcard (Optional) Portions of the preceding IP address to match, expressed using

4-digit, dotted-decimal notation. Bits to match are identified by a digital

value of 0; bits to ignore are identified by a 1.

Note For extended IP ACLs, the wildcard parameter of the ip access-list

command is always optional. If the host keyword is specified for a

extended IP ACL, then the wildcard parameter is not allowed.

host Matches the following IP address.

any Matches any IP address.

dest-ip Destination IP address. The number of the network or host to which the

packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal

format (for example, 0.0.0.0).

operator (Optional) Operator to use with specified ports, where lt = less than, gt =

greater than, eq = equal to, neq = not equal to, and range = an inclusive

range.

port (Optional) Port, using a number (0–65535) or a keyword; 2 port numbers

are required with range. See the Usage Guidelines section for a listing of

the UDP and TCP keywords.

established (Optional) Matches TCP packets with the acknowledgment or reset bits set.

icmp-type (Optional) Match with ICMP message type (0–255).

code (Optional) Used with icmp-type to further match by ICMP code type

(0–255).

icmp-msg (Optional) Match combination of ICMP message type and code types, as

expressed by the keywords shown in the Usage Guidelines section.