ACLs: Permit/Deny Source & Destination Addresses, and Protocols

Earlier we see how to Permitting/Denying Hosts, Networks, and subnets using ACLs in Networking now we are going to look at how we can Permit/Deny Source & Destination Addresses, and Protocols:

Permit Source Network:

access-list 101 permit ip 200.100.50.0 0.0.0.255 0.0.0.0 255.255.255.255
or
access-list 101 permit ip 200.100.50.0 0.0.0.255 any
Implicit deny ip any any

Deny Source Network:

access-list 101 deny ip 200.100.50.0 0.0.0.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
or
access-list 101 deny ip 200.100.50.0 0.0.0.255 any
access-list 101 permit ip any any
Implicit deny ip any any is present but irrelevant.

Permit Destination Network:

access-list 101 permit ip 0.0.0.0 255.255.255.255 200.100.50.0 0.0.0.255
or
access-list 101 permit ip any 200.100.50.0 0.0.0.255
Implicit deny ip any any

Deny Destination Network:

access-list 101 deny ip 0.0.0.0 255.255.255.255 200.100.50.0 0.0.0.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
or
access-list 101 deny ip any 200.100.50.0 0.0.0.255
access-list 101 permit ip any any
Implicit deny ip any any is present but irrelevant.

Permit one Source Network to another Destination Network:

Assume the only traffic you want is traffic from network 200.100.50.0 to network 150.75.0.0

access-list 101 permit ip 200.100.50.0 0.0.0.255 150.75.0.0 0.0.255.255
Implicit deny ip any any

To allow 2-way traffic between the networks adds this statement:

access-list 101 permit ip 150.75.0.0 0.0.255.255 200.100.50.0 0.0.0.255

Deny one Source Network to another Destination Network:

Assume you want to allow all traffic EXCEPT network 200.100.50.0 to network 150.75.0.0:

access-list 101 deny ip 200.100.50.0 0.0.0.255 150.75.0.0 0.0.255.255
access-list 101 permit ip any any

To deny 2-way traffic between the networks adds this statement:

access-list 101 deny ip 150.75.0.0 0.0.255.255 200.100.50.0 0.0.0.255

Deny FTP:

Assume you do not want anyone FTPing on the network:

access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any
or
access-list 101 deny tcp any any eq ftp
access-list 101 permit ip any any

Deny Telnet:

Assume you do not want anyone telnetting on the network:

access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
or
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any

Deny Website:

access-list 101 deny tcp any any eq www.tiktok.com
access-list 101 permit ip any any eq www.tiktok.com
You can also use http instead of www.

Need expert help with this in production?

Youngster Company offers hands-on services for the topics covered on this blog — cybersecurity audits (ISO 27001 / IT compliance), penetration testing, DevOps automation, server & network configuration, and digital forensics / OSINT investigations. If you need this implemented, audited, or troubleshot for your business, get in touch.

View Our Services →
Contact Us
Tags:

Youngster Company

Youngster Company is an Indian technology training and cybersecurity services firm based in Ahmedabad, Gujarat. Established in 2023, the company provides hands-on education and professional services across Linux, networking (CCNA / routing & switching), DevOps, cloud, ISO 27001 audits, penetration testing, digital forensics, and OSINT investigations. All tutorials and guides published here are written or reviewed by practitioners.

Leave a Reply