Extended Access-List

Always apply the extended access-list closed to the source so you don’t wast the bandwith, traffic etc.

Block traffic from network 192.168.2.0 /24 to network 192.168.1.0 /25 IN to interface serial 0/0:

Router> en
Router# conf t
Router(config)# access-list 100 deny (then protocol) ip ( then source) 192.168.2.0 0.0.0.255 (then destination) 192.168.1.0 0.0.0.127
Router(config)# access-list 100 permit ip any any (same as permit all on standard ACL)
Router(config)# interface serial 0/0
Router(config-int)# ip access-group 100 in

Block 192.168.2.150 from reaching 192.168.1.100 on HTTP (80) and HTTPS (443) IN to interface serial 0/0.
So we can change the access-list (number 100) above

Router(config)# ip access-list extended 100
Router(config-ext-nacl)# 11 deny tcp 192.168.2.150 0.0.0.0 192.168.1.100 0.0.0.0 eg 80
Router(config-ext-nacl)# 12 deny tcp 192.168.2.150 0.0.0.0 192.168.1.100 0.0.0.0 eg 443

See of you have matches in the access-list with the command:

Router(config)# sh ip access-list

Use an named access-list to permit 192.168.2.0 /24 to access 172.16.0.100 only ssh (22) and telnet (23):

Router> en
Router# conf t
Router(config)# ip access-list extended LAN_SSH_TELNET
Router(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.255 host 172.16.0.100 range 22 23
Router(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 host 172.16.0.100
Router(config-ext-nacl)# permit ip any any

Allow only POP3 (110) and IMAP (143) and SMTP (25) IN to host 172.16.0.100, then use:

Router(config-ext-nacl)# permit tcp any host 172.16.0.100 eq smtp
Router(config-ext-nacl)# permit tcp any host 172.16.0.100 eq pop3
Router(config-ext-nacl)# permit tcp any host 172.16.0.100 eq 143
Router(config-ext-nacl)# deny ip any host 172.16.0.100 (deny all other traffic to that host)
Router(config-ext-nacl)# permit ip any any (to allow the other incoming traffic)