Some Links to Examples

• http://netinfo.unet.brandeis.edu/details/router-shaping-acls
• http://filtering.illinois.net/ACLsamples.html

Sample Port Mnemonics

access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq 22
access-list 100 permit tcp any any eq 22
access-list 100 permit udp any any eq ntp
access-list 100 deny tcp any any eq 139 log
access-list 100 permit tcp any any eq 123
access-list 100 permit tcp any any eq nntp
access-list 100 permit tcp any any eq finger
access-list 100 permit udp any any eq 119
access-list 100 permit tcp any any eq talk
access-list 100 permit tcp any any eq pop3
access-list 100 permit udp any any eq 110
access-list 100 permit udp any any eq talk
access-list 100 permit tcp any any eq 8080
access-list 100 permit udp any any eq 8080
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any gt 1023
access-list 100 permit udp any any gt 1023
*** access-list 100 deny tcp any any eq smtp
access-list 100 permit tcp any any eq irc
access-list 100 permit tcp any any eq login
access-list 100 permit tcp any any eq ident
access-list 100 permit tcp any any eq 114
access-list 100 permit tcp any any eq 518
access-list 100 permit udp any any eq 518
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit udp any any eq syslog
access-list 100 permit icmp any any 

Sample ACL Setup

ip access-list extended internet-inbound
 permit tcp any any established
 permit ospf host abc.xyz.90.49 any
 permit 41 any any
 permit pim any any
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip abc.xyz.250.0 0.0.0.255 any log
 permit ip any 224.0.0.0 15.255.255.255
 permit ip host abc.xyz.60.21 any
 permit ip host abc.xyz.82.25 any
 permit ip host abc.xyz.82.30 any
 permit tcp any host abc.xyz.250.5 eq nntp
 permit tcp any host abc.xyz.250.5 eq 120
 permit tcp any host abc.xyz.250.6 eq nntp
 permit tcp any host abc.xyz.250.6 eq 120
 permit tcp any host abc.xyz.250.5 eq www
 permit tcp any host abc.xyz.250.6 eq www
 permit udp any host abc.xyz.250.5 eq domain
 permit udp any host abc.xyz.250.6 eq domain
 permit tcp any host abc.xyz.250.5 eq smtp
 permit tcp any host abc.xyz.250.6 eq smtp
 permit tcp any host abc.xyz.250.5 eq pop3
 permit tcp any host abc.xyz.250.6 eq pop3
 permit tcp any abc.xyz.250.0 0.0.0.255 eq ident
 permit udp any abc.xyz.250.0 0.0.0.255 eq 113
 permit tcp any host abc.xyz.253.51 eq 22
 permit tcp any abc.xyz.250.0 0.0.0.255 eq 22
 permit udp any abc.xyz.250.0 0.0.0.255 eq 22
 permit tcp any host abc.xyz.250.5 eq ftp
 permit tcp any host abc.xyz.250.5 eq ftp-data
 permit tcp any host abc.xyz.250.6 eq ftp
 permit tcp any host abc.xyz.250.6 eq ftp-data
 permit tcp abc.xyz.60.0 0.0.1.255 any eq 6000
 permit tcp abc.xyz.156.0 0.0.0.255 any eq 6000
 permit udp abc.xyz.0.0 0.0.255.255 any eq bootps
 permit tcp abc.xyz.60.0 0.0.1.255 any range 135 139
 permit udp abc.xyz.60.0 0.0.1.255 any range 135 netbios-ss
 permit tcp abc.xyz.60.0 0.0.1.255 any eq 445
 permit udp abc.xyz.60.0 0.0.1.255 any eq 445
 permit tcp abc.xyz.156.0 0.0.0.255 any range 135 139
 permit udp abc.xyz.156.0 0.0.0.255 any range 135 netbios-ss
 permit tcp abc.xyz.156.0 0.0.0.255 any eq 445
 permit udp abc.xyz.156.0 0.0.0.255 any eq 445
 permit udp any abc.xyz.250.0 0.0.0.255 eq 4755
 permit udp any any eq ntp
 permit udp any any eq tftp
 permit icmp any abc.xyz.250.0 0.0.0.255 administratively-prohibited
 permit icmp any abc.xyz.250.0 0.0.0.255 echo
 permit icmp any abc.xyz.250.0 0.0.0.255 echo-reply
 permit icmp any abc.xyz.250.0 0.0.0.255 packet-too-big
 permit icmp any abc.xyz.250.0 0.0.0.255 time-exceeded
 permit icmp any abc.xyz.250.0 0.0.0.255 traceroute
 permit icmp any abc.xyz.250.0 0.0.0.255 unreachable
 permit ip host abc.xyz.90.49 host abc.xyz.90.50
 permit ip host abc.xyz.90.49 host abc.xyz.250.1
 permit ip host abc.xyz.90.49 host abc.xyz.253.51
 permit ip abc.xyz.60.0 0.0.1.255 host abc.xyz.253.51
 permit ip abc.xyz.60.0 0.0.1.255 host abc.xyz.250.1
 permit ip abc.xyz.60.0 0.0.1.255 host abc.xyz.90.50
 permit ip abc.xyz.156.0 0.0.1.255 host abc.xyz.253.51
 permit ip abc.xyz.156.0 0.0.1.255 host abc.xyz.250.1
 permit ip abc.xyz.156.0 0.0.1.255 host abc.xyz.90.50
 permit ip abc.xyz.250.0 0.0.0.255 host abc.xyz.253.51
 permit ip abc.xyz.250.0 0.0.0.255 host abc.xyz.250.1
 permit ip abc.xyz.250.0 0.0.0.255 host abc.xyz.90.50
 evaluate internet-iptraffic 
 deny   ip any any log


ip access-list extended internet-outbound
 permit ip abc.xyz.250.0 0.0.0.255 any reflect internet-iptraffic

PacNOG Workshop Router

Current configuration : 9415 bytes
!
! Last configuration change at 13:13:25 Fiji Sat Jun 25 2005 by philip
! NVRAM config last updated at 13:13:26 Fiji Sat Jun 25 2005 by philip
!
version 12.3
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service internal
!
hostname gw
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
no logging console
enable secret 5 xxxx
!
username philip secret 5 xxxx
clock timezone Fiji 12
no network-clock-participate slot 1 
no network-clock-participate wic 0 
aaa new-model
!
!
aaa authentication login default local enable
aaa authentication enable default enable
aaa session-id common
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
!
!
ip tcp path-mtu-discovery
!
!
ip cef
no ip bootp server
ip domain name pacnog.school.fj
ip name-server 202.62.124.238
ip name-server 202.62.120.4
ip ips po max-events 100
ip scp server enable
ipv6 unicast-routing
ipv6 general-prefix pacnog 6to4 Serial0/0
ipv6 cef
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Tunnel2002
 no ip address
 no ip redirects
 ipv6 address pacnog ::1/64
 ipv6 traffic-filter ipv6-in in
 ipv6 traffic-filter ipv6-out out
 tunnel source Serial0/0
 tunnel mode ipv6ip 6to4
!
interface FastEthernet0/0
 description PacNOG core LAN
 ip address 192.168.1.254 255.255.255.0 secondary
 ip address 202.62.122.30 255.255.255.224
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
 duplex auto
 speed auto
 ipv6 address pacnog ::1:0:0:0:1/64
 no cdp enable
!
interface Serial0/0
 description ADSL link to Connect.com.fj
 ip address 202.62.125.62 255.255.255.252
 ip access-group 100 in
 ip access-group 101 out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
 loopback
 fair-queue
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 encapsulation dot1Q 1 native
!
interface FastEthernet0/1.11
 encapsulation dot1Q 11
 ip address 192.168.250.1 255.255.255.252
!
interface FastEthernet0/1.12
 encapsulation dot1Q 12
 ip address 192.168.251.1 255.255.255.252
!
interface FastEthernet0/1.13
 encapsulation dot1Q 13
 ip address 192.168.250.5 255.255.255.252
!
interface FastEthernet0/1.14
 encapsulation dot1Q 14
 ip address 192.168.251.5 255.255.255.252
!
interface FastEthernet0/1.15
 encapsulation dot1Q 15
 ip address 192.168.250.9 255.255.255.252
!
interface FastEthernet0/1.16
 encapsulation dot1Q 16
 ip address 192.168.251.9 255.255.255.252
!
interface FastEthernet0/1.17
 encapsulation dot1Q 17
 ip address 192.168.250.13 255.255.255.252
!
interface FastEthernet0/1.18
 encapsulation dot1Q 18
 ip address 192.168.251.13 255.255.255.252
!
interface FastEthernet0/1.19
 encapsulation dot1Q 19
 ip address 192.168.250.17 255.255.255.252
!
interface FastEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.251.17 255.255.255.252
!
interface FastEthernet0/1.21
 encapsulation dot1Q 21
 ip address 192.168.250.21 255.255.255.252
!
interface FastEthernet0/1.22
 encapsulation dot1Q 22
 ip address 192.168.251.21 255.255.255.252
!
interface FastEthernet0/1.23
 encapsulation dot1Q 23
 ip address 192.168.250.25 255.255.255.252
!
interface FastEthernet0/1.24
 encapsulation dot1Q 24
 ip address 192.168.251.25 255.255.255.252
!
interface Serial0/1
 no ip address
 shutdown
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 bgp deterministic-med
 network 192.168.250.0 mask 255.255.254.0
 network 202.62.122.0 mask 255.255.255.224
 neighbor ebgp-peers peer-group
 neighbor ebgp-peers description eBGP peers
 neighbor ebgp-peers password 7 02050D480809
 neighbor ebgp-peers default-originate 
 neighbor 192.168.250.2 remote-as 1
 neighbor 192.168.250.2 peer-group ebgp-peers
 neighbor 192.168.250.6 remote-as 3
 neighbor 192.168.250.6 peer-group ebgp-peers
 neighbor 192.168.250.10 remote-as 5
 neighbor 192.168.250.10 peer-group ebgp-peers
 neighbor 192.168.250.14 remote-as 7
 neighbor 192.168.250.14 peer-group ebgp-peers
 neighbor 192.168.250.18 remote-as 9
 neighbor 192.168.250.18 peer-group ebgp-peers
 neighbor 192.168.250.22 remote-as 11
 neighbor 192.168.250.22 peer-group ebgp-peers
 neighbor 192.168.250.26 remote-as 13
 neighbor 192.168.250.26 peer-group ebgp-peers
 neighbor 192.168.251.2 remote-as 2
 neighbor 192.168.251.2 peer-group ebgp-peers
 neighbor 192.168.251.6 remote-as 4
 neighbor 192.168.251.6 peer-group ebgp-peers
 neighbor 192.168.251.10 remote-as 6
 neighbor 192.168.251.10 peer-group ebgp-peers
 neighbor 192.168.251.14 remote-as 8
 neighbor 192.168.251.14 peer-group ebgp-peers
 neighbor 192.168.251.18 remote-as 10
 neighbor 192.168.251.18 peer-group ebgp-peers
 neighbor 192.168.251.22 remote-as 12
 neighbor 192.168.251.22 peer-group ebgp-peers
 neighbor 192.168.251.26 remote-as 14
 neighbor 192.168.251.26 peer-group ebgp-peers
 distance bgp 200 200 200
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0 permanent
ip route 10.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 192.168.250.0 255.255.254.0 Null0 254
ip route 202.62.122.0 255.255.255.224 Null0 254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Serial0/0 overload
!
logging trap debugging
access-list 1 permit 202.62.122.0 0.0.0.31
access-list 1 deny   any
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 169.254.0.0 0.0.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 202.62.122.0 0.0.0.31 any
access-list 100 deny   tcp any any eq 81
access-list 100 deny   udp any any eq netbios-ns
access-list 100 deny   tcp any any eq 135
access-list 100 deny   tcp any any eq 139
access-list 100 deny   tcp any any eq 445
access-list 100 deny   tcp any any eq 1025
access-list 100 deny   tcp any any eq 1337
access-list 100 deny   udp any any eq 1434
access-list 100 deny   tcp any any eq 2745
access-list 100 deny   tcp any any eq 3001
access-list 100 deny   tcp any any eq 3127
access-list 100 deny   tcp any any eq 3128
access-list 100 deny   tcp any any eq 4662
access-list 100 deny   tcp any any eq 5000
access-list 100 deny   tcp any any eq 6129
access-list 100 permit icmp any any
access-list 100 deny   udp any any eq 2049
access-list 100 permit tcp any any established
access-list 100 permit udp any any gt 1023
access-list 100 permit ipinip any any
access-list 100 permit 41 any any
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit udp any eq isakmp any eq isakmp
access-list 100 permit tcp any any eq 22
access-list 100 permit tcp any any eq ident
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any eq ftp any
access-list 100 deny   ip any any log
access-list 101 deny   tcp any any eq 135
access-list 101 deny   udp any any eq netbios-ns
access-list 101 deny   tcp any any eq 139
access-list 101 deny   tcp any any eq 445
access-list 101 deny   tcp any any eq 1025
access-list 101 deny   tcp any any eq 1337
access-list 101 deny   udp any any eq 1434
access-list 101 deny   tcp any any eq 2745
access-list 101 deny   tcp any any eq 3001
access-list 101 deny   tcp any any eq 3127
access-list 101 deny   tcp any any eq 3128
access-list 101 deny   tcp any any eq 4662
access-list 101 deny   tcp any any eq 5000
access-list 101 deny   tcp any any eq 6129
access-list 101 permit ip 202.62.125.60 0.0.0.3 any
access-list 101 permit ip 202.62.122.0 0.0.0.31 any
access-list 101 deny   ip any any log
ipv6 route 2002::/16 Tunnel2002
ipv6 route ::/0 2002:806B:F0FE::1
!
!
!
ipv6 access-list ipv6-in
 deny tcp any any eq 135
 deny tcp any any eq 445
 permit icmp any any
 permit tcp any any established
 permit tcp any any eq 22
 permit tcp any any eq www
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp any any eq 143
 permit tcp any any eq 5901
 permit tcp any any eq domain
 permit udp any any eq domain
 permit udp any any eq ntp
 permit udp any any eq 5
 permit udp any eq isakmp any eq isakmp
 deny udp any any eq 2049
 permit udp any any gt 1023
 deny ipv6 any any log
!
ipv6 access-list ipv6-out
 deny udp any any eq netbios-ns
 deny udp any any eq netbios-dgm
 permit ipv6 any any
!
ipv6 access-list vty
 permit ipv6 2002:CA3E:7D3E:1::/64 any
 deny ipv6 any any log
!
control-plane
!
!
!
!
!
!
!
!
banner login ^C
PacNOG Workshop Router - Unauthorised access prohibited!^C
!
line con 0
 transport preferred none
 transport output ssh
line aux 0
line vty 0 4
 access-class 1 in
 ipv6 access-class vty in
 transport preferred none
 transport input ssh
 transport output telnet ssh
!
ntp clock-period 17208515
ntp server 202.62.124.238
!
end

gw#