You want to filter access to certain applications.

Extended IP access-lists can also filter based on application information, such as protocol and port numbers:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 151 permit tcp any any eq www
Router1(config)#access-list 151 deny tcp any any gt 1023
Router1(config)#access-list 151 permit icmp any any
Router1(config)#access-list 151 permit udp any any eq ntp
Router1(config)#access-list 151 deny ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 151 in 
Router1(config-if)#exit
Router1(config)#end
Router1#

This example shows how to construct an Extended IP ACL to filter traffic based on application. In Recipe 19.1, we showed how to use Extended IP ACLs to match on any combination of source and/or destination IP addresses. But the Extended IP ACL also allows you to match on just about anything in the IP packet header.

The first argument after the permit or deny keyword represents the IP protocol number:

Router1(config)#access-list 151 permit tcp any any eq www

In this case, we want to match a TCP-based application, so we have used the keyword tcp in this position. This field represents the IP protocol number, which is an 8-bit value. TCP is protocol number 6, UDP is 17, and ICMP uses protocol number 1. The IANA has registered 134 different protocol numbers. You can find the complete list of registered ...