10.4 Configuring Extended Access Lists
10.4.4 Extended access list examples
The next sections show various extended-access-list examples, one providing Internet mail to a network device and another extended access list providing Domain Name System (DNS) and ping (ICMP echo requests and ICMP echo replies).
Lab Activity
  In this lab, you will learn the usage of standard access control lists.

Providing Internet Mail

In Figure , Ethernet interface 1 is part of a Class B network with the address 128.88.0.0, and the mail host address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, indicating that the packet belongs to an existing connection. If the ACK is not set, and the SYN is set, someone on the Internet is initializing the session, in which case the packet is denied.

Providing DNS and Ping

Figure also permits name/domain server packets and ICMP echo and echo-reply packets.

The two middle lines permit UDP and TCP domain name services. The last two lines in the access list section allow ICMP echo and echo-reply messages. These are the messages used for the ping commands.

The DNS typically uses a UDP transport, but TCP can be used where large quantities of information are being returned. For this reason, the filter explicitly permits DNS over both UDP and TCP.