Provides filter on source or destination of packets as well as service/port of the 
packet.  Source or destination can be listed as a single IP address or by subnet. 
Also you can specify: 	icmp = ping
			udp = DNS and SNMP
			tcp = everything else not included in udp or icmp
			ip = everything

NOTE: Cisco utilizes what is called an "implicit deny" on all filters. If the access is 
not actually specified in  access list then that access will be denied. Basic template 
looks like this:
	access-list {access-list-number} {deny | permit} {ip, tcp, udp, icmp} {source} 
	{destination} [operator port [port]]
 
NOTE:  "!" starts a comment that continues to end of line. Here's a sample of 
what a customers might use:

! allow any responses from remote traffic initiated from inside LAN
access-list 101 permit tcp any any established

! allow pings to all machines
access-list 101 permit icmp any any

! allow smtp mail to local host
access-list 101 permit tcp any host SMTP_SERVER_IP_HERE eq 25

! allow ftp, telnet, and http to local host 
access-list 101 permit tcp any host FTP_SERVER_IP_HERE eq 21
access-list 101 permit tcp any host TELNET_SERVER_IP_HERE eq 23
access-list 101 permit tcp any host WEB_SERVER_IP_HERE eq 80

! allow ftp since it returns on a random port greater than 1023
access-list 101 permit tcp any any gt 1023
access-list 101 permit udp any any gt 1023

! allow GeoNet to access router
access-list 101 permit ip host CUSTOMER_SERIAL_INTERCONNECT_IP any
access-list 101 permit ip host 166.90.2.14 any
access-list 101 permit ip 207.90.136.0 0.0.0.255 any

Once an access-list has been created, it must be applied to an interface.  
Access-list by itself does nothing:
- without being applied to an interface and
- specifying filter should be applied to in-coming or out-going traffic.

For example... the above access list would be made functional via:
interface serial0
ip access-group 101 in

This will apply filter to Serial0 interface (usually the T1 connection) and will make 
the source anything coming in over the T1 and the destination anything on the other 
side of the router  (usually the LAN on the Ethernet).

 Although we can provide a basic filter list for customers, we do not take 
responsibility for the security of your network. 
  If you need to have security parameters change frequently... it is advisable the 
filter lists be controlled by you.  In order for customers to make these security 
changes... they will need to know the telnet and enable password of their router.