Access List.

Archived from groups: comp.security.firewalls (More info?)

In article <1127441738.956071.3210@g44g2000cwa.googlegroups.com>,
<kennylee88@gmail.com> wrote:
: Are the Access List on my 2701 router its same as PIX 501(6.3 ver)??

Cisco doesn't have a 27xx model line. If you are referring to a 2701
model from a different manufacturer, we need to know which
manufacturer.

Cisco used to offer 1601 and 2501 routers (but not 2601 or 3601.) Cisco still
offers a 1701 ADSL router; those aren't all that common. There is also
the relatively new Cisco 2801 router.

Access lists on the Cisco 1601, 2501, and 2801 router are NOT the
same as access lists on the PIX 501 -- but they are fairly
similar.

Access lists on the PIX use netmask style masks. Access lists
on Cisco's routers use "wildcard masks", which are 2's complement
of the netmask style.

access-list 110 permit ip 10.20.30.0 255.255.255.0 any
access-list 120 permit ip 10.20.30.0 0.0.0.255 any

110 is PIX style, 120 is IOS style.


Access lists on the PIX can be named or numbered, and there is
no special significance to the name or number (a number is just
an unusual name.)

Standard and extended ccess lists on Cisco's IOS are numbered,
and the number has significance. Standard access lists under IOS
do not look similar to PIX's access-lists. Extended access lists
under IOS have a fair bit in common with PIX access lists.
Cisco also offers named access lists that use a different syntax.

access-lists on PIX can use object-groups. I don't know if
object-groups have made it into any IOS version yet.

access-lists on IOS can reference various TCP flags.
access-lists on PIX through 6.x cannot reference any TCP flags.

Logging options are different between the two.

There are probably other differences as well.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers