access list

hi
i am using packet tracer and want to implement some access list

i want to deny any traffic from network address 10.0.0.128/25 to network .... using extended access list .
these ar the commands that i use
ip access-li extended cisco
deny tcp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny udp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny icmp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]
and these are loads of command to achive one point where i could achive it by using standard access list by typing
deny [ipadd] [mask] any any

is there any easier way to the my requirment insted of typing 4 line of command using extended access list
??

tnx

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

meadIT

I believe this line is the only one you would need for an extended ACL:

deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]

You'll also have to follow it up with a permit ip any any or all packets from any host will be discarded. (If the packet does not match any part of the access list, it is denied by default)

Edit: Actually, you wouldn't need to include the subnet mask or anything like that, you would just need this:

deny ip host 10.0.0.128 any
permit ip any any

This will block any packets from the IP address addressed to any address, and then permit any other source to pass through.

linux44

meadIT wrote: »
I believe this line is the only one you would need for an extended ACL:

deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]

You'll also have to follow it up with a permit ip any any or all packets from any host will be discarded. (If the packet does not match any part of the access list, it is denied by default)

Edit: Actually, you wouldn't need to include the subnet mask or anything like that, you would just need this:
deny ip host 10.0.0.128 any
permit ip any any
This will block any packets from the IP address addressed to any address, and then permit any other source to pass through.

i want to deny all the traffic and that mean udp,tcp,

are u trying to say that tcp is part of ip ?

networker050184

linux44 wrote: »

i want to deny all the traffic and that mean udp,tcp,

are u trying to say that tcp is part of ip ?

Deny ip is going to block any ip traffic including udp and tcp.

meadIT

linux44 wrote: »

i want to deny all the traffic and that mean udp,tcp,

are u trying to say that tcp is part of ip ?

I'm sure someone will correct me if I'm wrong, but yes. If you look at the syntax examples on this page you will notice that for IP you do not specify a port number, but you have to on TCP and UDP:Configuring IP Access Lists - Cisco Systems

Think of IP as blocking all TCP/IP traffic and TCP and UDP blocking certain ports. You also have to specify the type of ICMP traffic you are blocking/permitting (example: echo for pings).