Details
This command places the router in access-list configuration mode, where you must define the denied or permitted access conditions by using the deny and permit commands.
Solution
Configure ACL for private source address restrictions from external networks.
hostname(config)#ip access-list extended {name | number}
hostname(config-nacl)#deny ip {internal_networks} any log
hostname(config-nacl)#deny ip 127.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 10.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 0.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 172.16.0.0 0.15.255.255 any log
hostname(config-nacl)#deny ip 192.168.0.0 0.0.255.255 any log
hostname(config-nacl)#deny ip 192.0.2.0 0.0.0.255 any log
hostname(config-nacl)#deny ip 169.254.0.0 0.0.255.255 any log
hostname(config-nacl)#deny ip 224.0.0.0 31.255.255.255 any log
hostname(config-nacl)#deny ip host 255.255.255.255 any log
hostname(config-nacl)#permit {protocol} {source_ip} {source_mask} {destination} {destination_mask} log
hostname(config-nacl)#deny any any log
hostname(config)#interface
hostname(config-if)#access-group
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.