Creating Extended Access Lists Using Access List Numbers

3-38
Cisco IOS VPN Configuration Guide
OL-8336-01
Chapter 3 Site-to-Site and Extranet VPN Business Scenarios
Step 5—Configuring Cisco IOS Firewall Features
Verifying Extended Access Lists
To verify the configuration:
Enter the 
show access-lists 102
EXEC command to display the contents of the access list.
hq-sanjose# 
show access-list 102
Extended IP access list 102
deny tcp any any
deny udp any any
permit ip any any
Applying Access Lists to Interfaces
After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on 
either 
outbound or inbound interfaces. 
To apply an access list inbound and outbound on an interface, complete the following steps starting in 
global configuration mode:
For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of 
the packet against the access list. If the access list permits the address, the software continues to process 
the packet. If the access list rejects the address, the software discards the packet and returns an “icmp 
host
 
unreachable” message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software 
checks the destination address of the packet against the access list. If the access list permits the address, 
the software transmits the packet. If the access list rejects the address, the software discards the packet 
and returns an “ICMP Host Unreachable” message.
When you apply an access list that has not yet been defined to an interface, the software acts as if the 
access list has not been applied to the interface and will accept all packets. Be aware of this behavior if 
you use undefined access lists as a means of security in your network.

Download 2,05 Mb.

Do'stlaringiz bilan baham: