"J. Johnson" wrote: > I have another question. Can I use the same access list group number for > another IP address? For example, I want to all the users to access > 192.3.11.100 and only allow ftp for 192.3.10.10. > > access-list 110 permit ip any host 192.3.11.100 > access-list 110 permit tcp any host 192.3.10.10 eq ftp > >
Yes. You may add as many lines as you like to acess-list 110. Packets are compared to each line in the access list until a match is made or the end of the list is reached (which contains the implicity "deny any"). After you apply the access-list to the interface you must have a line that will match the incoming (or outgoing) packet or it will be dropped. Also keep in mind that the longer the access list, the more CPU time it takes to forward the packet. In long lists it is best to put the most frequently matched lines at the top. You still need to add another line for the ftp-data packets to get through (as I pointed out in previous, lengthy post) access-list 110 permit tcp any host 192.3.10.10 eq ftp-data established --- Adding the "gt 1023" to the source address is more specific and slightly more secure. access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq ftp access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq ftp-data established Also, you don't mention the interface on which you will apply the access list. The above lists would work by adding "ip access-group 110 in" to the incoming WAN interface or "ip access-group 110 out" to a single ethernet LAN interface. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25088&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
