Filter
Top Products
C H A P T E R 17 Access Policies
321
in conjunction with IP, it is technically not an IP data packet. Thus,
ICMP data traffic, such as ping traffic, is not affected.
Use this command to create the access-list:
create access-list denyall ip destination any
source any deny ports any
Figure 17.1: Access list denies all TCP and UDP traffic
Step 2 – Allow TCP Traffic
The next set of access-list commands permits TCP-based traffic to
flow. Because each session is bidirectional, an access-list must be
defined for each direction of the traffic flow. UDP traffic is still
blocked.
Use these commands to create the access list defined for
bidirectional traffic flow:
create access-list tcp1 tcp destination 10.10.20.100/
32 ip any source 10.10.10.100/32 ip any permit qp1
ports any precedence 20
create access-list tcp2 tcp destination
10.10.10.100/32 ip any source 10.10.20.100/32 ip
any permit qp1 ports any precedence 21
Figure 17.2 illustrates the outcome of this access list.
Figure 17.2: Access list allows TCP traffic
TCP
UDP
ICMP
10.10.10.100 10.10.20.100