.
Manucomp Systems
Hours of Operation

Monday to Friday:
9am - 6pm EST

Saturday & Sunday:
Closed

If you would like additional information please contact us toll-free at :

1-866-440-1115
info@manucomp.com

Can't find the product you are looking for?
Request a quote.
Extended IP Access Lists
Back to Cisco Tips

Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very grangular and allows you to be very specific. If you intend to create a packet filtering firewall to protect your network it is an Extended ACL that you will need to create.

Typically you would allow outgoing traffic and incoming initiated traffic. In other words, you want your users to be able to connect to web servers on the internet for browsing but you do not want anyone on the Internet to be able to connect to your machines. This will require 2 ACLs. One to only limit our users on the company network to only use a web browser (so this will block outgoing FTP, e-mail, Kazaa, napster, online gaming, etc.) The other access-list will only allow incoming traffic from the Internet that has been initiated from a machine on the inside. This is called an established connection. Let's see what our access list would look like for starters:

Assumptions:  
internal network: 63.36.9.0    

access-list 101 - Applied to traffic leaving the office (outgoing)
access-list 102 - Applied to traffic entering the office (incoming)
ACL 101 access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80
ACL 102 access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established