Introduction to Access-Lists on Cisco IOS Router

Asi
The first thing you have to decide is whether you are creating an standard or extended access-list. The next decision to make is whether you wanted to use an access-list number or an access-list name. In the examples you gave, you chose to use named access-lists for both (out_acsz_in). Also, in your example, we must be using extended access-lists (because you specified the destination of the traffic you are permitting).

Let’s look at your two examples, and reconfigure them so they are using the proper syntax.
Your first example is this:
(config)#access-list out_acz_in permit any 10.0.32.10

The correct syntax for this would be:

(config)#ip access-list extended out_acz_in
(config-nacl)#permit ip any host 10.0.32.10

Here’s the difference between what you wrote, and what I wrote:

  1. The keyword “ip” must be used before “access-list” if you are using a named access-list. If you plan to use access-list numbers instead, this is not needed
  2. Named access-lists have to told whether they are standard or extended, hence the keyword “extended”
  3. Named access-lists require you press ENTER after you give the name. The IOS then takes you to a new submenu, (config-nacl)# where you can type all of your permit or deny lines one by one
  4. After the word “permit” or “deny” a protocol has to specified for an extended access-list. In this case, I chose “ip” which means any type of traffic, since you didn’t specify a port at the end
  5. The keyword “host” tells the access list that the next address you type in is supposed to be that specific ip. Think of “host” as a shortcut. Instead of typing 10.0.32.10 0.0.0.0, you can just type host 10.0.32.10. Both lines are acceptable and both do the same thing.

Now, let’s compare the correct syntax for both of your examples and go over the difference:

Example 1

ip access-list extended out_acz_in
 permit ip any host 10.0.32.10

Example 2

ip access-list extended out_acsz_in
 permit udp any 10.0.32.10 eq h323

Example 2 allows only the UDP ports associated with the H.323 protocol from anywhere to reach 10.0.32.10.
Example 1 allows ALL traffic from anywhere to 10.0.32.10.

As you can see, Example 2 is much more restrictive than Example 1. As to what is the default type, there really isn’t a “default.” How you write the access-list determines its behavior.

--Andrew

3 Likes