Configuring Cisco

Cisco router access lists


Read this article in Russian

In this article we’re going to examine how to create and use access lists based on the scenario of connecting a small office network to the Internet with the help of a Cisco 881 router. The command syntax and configuration steps are going to be the same for routers of other models and series (1841, 2800, 3825, etc.), as well as for Layer 3 switches (3500, 4800, etc. series). The differences might come up in the interface configuration for each model.

For our sample network, we have:

  • several workstations and servers inside the office’s Local Area Network
  • Cisco 881 router
  • switch (used only to connect the LAN hosts, has no other configuration)

Our task: limit the traffic that passes through the router

cisco-router-access-lists en

Access lists by themselves do not limit any traffic or access. They simply define the traffic patterns for the router. Access lists take effect only when they are referenced by another function of a router.

A router uses the following logic: first we define what traffic is interesting for us (and should be examined), and then we define what to do with that traffic. In one scenario, an access list may define which IP address has the right to connect to the router remotely through the SSH protocol, while in another it will point to a route that will be distributed through dynamic routing protocols.

Limiting remote access to the router

This example shows how to use an access list to limit the access to the remote console, narrowing it down to only specific IP addresses. In this case, we’ll restrict access so only the IT administrator’s workstation can connect to the router for management.
First, create an access list ACL_REMOTE_ACCESS:
ip access-list standard ACL_REMOTE_ACCESS
permit ip host

Now, apply the access list for limiting the remote management, so that only IP address has the right to connect to the router:
line vty 0 4
access-class ACL_REMOTE_ACCESS in

Be very careful and double-check your code before applying the access list. If there is an error, the only way to correct it will be either by connecting through a console cable or resetting the router to factory defaults.

Limiting access to the Internet

If you need to limit the traffic from the Local Area Network to the Internet, you will have to create an access list and apply it to one of the router’s interfaces.
For example, imagine that you have to limit Internet access for users with the following:

  • Allow the Proxy server to access the Internet (HTTP and HTTPS protocols)
  • Allow the DNS server access to the Internet (TCP port 53 and UDP port 53)
  • Allow full Internet access for the administrator’s workstation
  • Allow all workstations ICMP protocol for the ping command

Create the following access list named ACL_INSIDE_IN and enter the access rules one by one:
ip access-list extended ACL_INSIDE_IN

Allow the DNS server to access the Internet:
permit udp host any eq 53
permit tcp host any eq 53

Allow the Proxy server to access the Internet:
permit tcp host any eq 80
permit tcp host any eq 443

Allow the administrator’s workstation full access:
permit ip host any

Allow ping for all workstations:
permit icmp  any

Deny all other connections:
deny  ip any any log

Notice how the ICMP (ping) rule is written. The subnet mask is written in inverted format on Cisco routers: instead of

The next step is to apply the created access list to the internal VLAN  1 interface, specify the direction as “in” – this means traffic going inside the router. The traffic direction is always specified from the point of view of the Cisco device. For future ease of administration, this concept is integrated into the name of the access list itself: ACL_INSIDE_IN – access filter that limits traffic that comes into the inside interface.
interface Vlan 1
ip access-group ACL_INSIDE_IN in

After this, all access to the outside world will be controlled with the rules defined in the access list, given that NAT translation has been also configured, and configured correctly. You can read about configuring access to the Internet on a Cisco router here.

Checking the access list operation

You can check how the access list works by looking at how many hits each rule gets. After you have applied the access list ACL_INSIDE_IN to the interface VLAN 1, do a ping command from any workstation to any Internet address (for example, to From the privileged mode on the router (the # sign next to the hostname) type “show access-lists“. You will get an output with a counter next to each access list line:
R-DELTACONFIG#sh access-lists
Extended IP access list ACL_INSIDE_IN

60 permit icmp any any (4 estimate matches)
70 deny ip any any log

Important access list usage aspects:

  • An access list is made up of lines – rules that affect certain traffic
  • Access list that is applied to an interface limits the traffic that passes through that interface (only)
  • Access list can be applied to an interface in one of the two directions: inbound or outbound
  • An access list can specify either only the source of the traffic (if the access list is standard type, the one that is used to limit access via SSH) or both the source and the destination of the traffic (in extended type, the one that is used for limiting access to the Internet)
  • You cannot apply more than one access list in a certain direction on an interface. So any interface may have a maximum of two access lists: one for inbound traffic, the other for outbound traffic. You must list all the necessary access rules for each direction in one access list.

Limiting access from the Internet to the inside network

For this example, we’ll create an access list for the outside interface and name it ACL_OUTSIDE_IN. We’ll allow the outside interface to reply to ping requests and drop all other incoming connections.
ip access-list extended ACL_OUTSIDE_IN
permit icmp any interface                                          //allows ping
deny   ip any any log                                              //drops all other connections

Apply the access list to the outside interface:
interface FastEthernet 4
ip access-group ACL_OUTSIDE_IN in

All access rules that are added later on for allowing traffic from inside or from outside should be added to the appropriate access list BEFORE the line
deny   ip any any log

If you add an access rule that allows certain traffic after the deny rule, it will have no effect whatsoever, because the router processes the access list lines successively until it gets the first match on the traffic defined.
The easiest way to change an access list is to enter the ACL configuration mode, add all the necessary rules, and then remove the last rule (deny ip any any log) and immediately add it back. This will allow for the deny rule to be always at the very end of the access list, while the other rules will appear in the order that you added them from top to bottom.
To illustrate this, let’s add HTTP access (TCP port 80) to the router:
ip access-list extended ACL_OUTSIDE_IN
permit tcp any interface eq 80
no deny   ip any any log
deny   ip any any log

Permitting return traffic

After we apply the ACL_OUTSIDE_IN access list to the outside interface, you may notice that all access from the internal network to the Internet no longer works, unless it’s ping traffic. This is happening because the traffic is being filtered on both the internal (ACL_INSIDE_IN) and the external (ACL_OUTSIDE_IN) interface.
In order for return traffic (replies to requests from the local area network) to be allowed back into our network, we have to define protocols with the inspect function:
ip inspect name Internet http
ip inspect name Internet https
ip inspect name Internet dns
ip inspect name Internet icmp

The inspect rule set should be applied to the external interface:
interface FastEthernet 4
ip inspect Internet out

You can add more protocols to the inspection list later.

I hope that this article has helped you to better understand how access lists work. Unfortunately, this seemingly simple subject is very hard to explain in plain language. If still you have questions or some points are left unclear, write me an email at or leave a question in the comments below.


Don’t forget to save the configuration on all devices with the “write” or “copy run start” command. Otherwise you will lose all configuration changes after the next reload.
Building configuration...

Back to Table of contents

deltaconfig logo Personal Cisco tutor


Sort by:   newest | oldest | most voted

Great articles, Thank you!


How can I help you?