User's Manual
403
second line allows any new TCP to connect the SMTP port of host 130.2.1.2.
ip access-list extended aaa
permit tcp any 130.2.0.0 255.255.0.0 gt 1023
permit tcp any 130.2.1.2 255.255.255.255 eq 25
interface vlan 10
ip access-group aaa in
Another example to apply the extensible access list is given. Suppose a network connects the Internet, you
expect any host in the Ethernet can create TCP connection with the host in the Internet. However, you expect
the host in the Internet cannot create TCP connection with the host in the Ethernet unless it connects the
SMTP port of the mail host.
SMTP connects with TCP port in one end and the arbitrary port number in the other end. During the connection
period, the same two port numbers are used. The mail packet from the Internet has a destination port, that is,
port 25. The outgoing packet has a contrary port number. In fact, the security system behind the routing
SWITCH always receives mails from port 25. That is the exact reason why the incoming service and the
outgoing service can be uniquely controlled. The access list can be configured as the outgoing service or the
incoming service.
In the following example, the Ethernet is a B-type network with the address 130.20.0.0. The address of the
mail host is 130.20.1.2. The keyword established is only used for the TCP protocol, meaning a connection is
created. If TCP data has the ACK or RST digit to be set, the match occurs, meaning that the packet belongs
to an existing connection.
ip access-list aaa
permit tcp any 130.20.0.0 255.255.0.0 established
permit tcp any 130.20.1.2 255.255.255.255 eq 25
interface vlan 10
ip access-group aaa in