Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access List

Status
Not open for further replies.
arivukalanjiyam

arivukalanjiyam

Programmer
Oct 4, 2002
9
IN
HI there,
In extended access list why is that we cannot restrict systems using port numbers with IP

Eg:

(config)#accesslist 2 deny IP 10.11.12.0
0.0.0.255
10.11.14.0
0.0.0.255

Now why is that we cannot use a port number to like in the case of telnet(23),ftp (21)etc here for IP.

 
Sort by date Sort by votes
You can use port numbers in extended access lists! For example ..


collossus(config)#access-list 120 deny tcp any eq 80 host 192.168.3.2
collossus(config)#access-list 120 deny tcp any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)


Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
As per Chris' note you can use source and destination port numbers or ranges of ports.

It is worth pointing out on your example that you have used access list 2.

This is a basic IP access list (Access List no 1-99) which filters only on source IP address.

Extended IP access lists (access list no 100-199) allow filtering on source/dest ip, protocol, port etc.

syntax : access-list 100-199 permit|deny ip|tcp|udp|icmp source source-mask dest dest-mask [lt|gt|eq|neq dest-port]

For an alternative view on access lists try:-


Hope this helps [worm]
 
Upvote 0 Downvote
Hi,
The answers above basically answer you, but watch the syntax, you cannot use an extended ACL with the &quot;ip&quot; keyworks and specify ports, you will need to use the tcp or udp keywords for that.

BR,

-Stephen
 
Upvote 0 Downvote
Hi Nohair,

You say:&quot;you cannot use an extended ACL with the &quot;ip&quot; keyworks and specify ports, you will need to use the tcp or udp keywords for that.'

You are right on target.Thats what Iam asking why?

Is it because only transport layer protocols can use ports?!?

 
Upvote 0 Downvote
Spot on. By specifying IP it only looks at the layer 3 info.
When TCP/UDP is specified the layer 4 info is checked i.e port no's
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

GTexx
  • Locked
  • Question
LAB 3640 Access Router Config.
Replies
3
Views
103
GTexx
GTexx
Kurfer
  • Locked
  • Helpful tip
Free Cisco Lab Access for CCNA/CCNP 1
Replies
7
Views
133
burtsbees
burtsbees
maczen
  • Locked
  • News
Dean's List!
Replies
12
Views
105
lerdalt
lerdalt
beaner2005
  • Locked
  • Question
Discretionary Access Control
Replies
16
Views
133
beaner2005
beaner2005
Chigy
  • Locked
  • Question
Access-list Question
Replies
5
Views
61
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top