7/30/2019 Extended Access Control Lists

1/19

Extended Access ControlLists

7/30/2019 Extended Access Control Lists

2/19

Extended ACLs Can Filter on One

or Many Data Fields

7/30/2019 Extended Access Control Lists

3/19

Extended ACLs

Creating an

Extended Access ListAs with standard lists, the access-list command is used to create each conditionof the list using one condition per line. The syntax for each line in the list is:

access-list access-list-number {permit | deny} {protocol | protocol

keyword} {source | any} [source-wildcard] [source port] {destination |

any} [destination-wildcard] [destination port] [options]

Example:

Lab-X#config t

Lab-X(config)#Access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq www

Lab-X(config)#Access-list 101 deny tcp any any eq ftp

Lab-X(config)#Access-list 101 permit ip any any

Lab-X(config)#interface Fastethernet 0/0

Lab-X(config-if)#ip access-group 101 out

The access list-number range for IP extended access lists is 100 to 199.The protocol entry defines the protocol to be filtered, such as IP, TCP, UDP, or

ICMP for example. Because IP headers transport TCP, UDP, and ICMP, it is

important to specify the protocol or you could end up inadvertently filtering

more than you want to.

7/30/2019 Extended Access Control Lists

4/19

Extended ACLsTCP Relational

Operators

The access list TCP protocol option supports both source and

destination ports. You can access each by using either the port

number or a mnemonic or acronym. Keyword relational operators

such as those shown in the following code output precede these:

Lab-X(config)#access-list 101 deny tcp any ?

A.B.C.D Destination address.

any Any destination host.

eq Match only packets on a given port number.

gt Match only packets with a greater port number.

host A single destination host.lt Match only packets with a lower port number.

neq Match only packets not on a given port number.

range Match only packets in the range of port numbers.

7/30/2019 Extended Access Control Lists

5/19

Extended ACLs

Protocol

IdentifiersAfter choosing a relational operator, specify a mnemonic (or acronym) orport number, such as the following code output for the TCP port names:

Lab-X(config)#access-list 101 deny tcp any eq ? Port numberbgp Border Gateway Protocol (179)chargen Character generator (19)

cmd Remote commands (rcmd, 514)daytime Daytime (13)discard Discard (9)domain Domain Name Service (53)echo Echo (7)exec Exec (rsh, 512)finger Finger (79)

ftp File Transfer Protocol (21)--Some output omitteduucp Unix-to-Unix Copy Program (540)whois Nicname (43)www World Wide Web (HTTP, 80)

7/30/2019 Extended Access Control Lists

6/19

UDP and TCP Port Numbers

7/30/2019 Extended Access Control Lists

7/19

Extended ACLsTCP ExampleThe first statement could have used the mnemonic telnet in place of 23

with exactly the same result. The one advantage to using the mnemonic

is that it is more intuitive to anyone having to support the device.

Lab-X#config t

Lab-X(config)#access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23

Lab-X(config)#access-list 101 permit ip any anyLab-X(config)#interface fastethernet 0/1

Lab-X(config-if)#ip access-group 101 in

If you want to block network 192.168.5.0 from being able to surf the Web

while still allowing other services such as FTP, use this code:

Lab-X#config tLab-X(config)#access-list 106 deny tcp 195.168.5.0 0.0.0.255 any eq www

Lab-X(config)#access-list 106 permit ip any any

Lab-X(config)#interface ethernet 0

Lab-X(config-if)#ip access-group 106 in

7/30/2019 Extended Access Control Lists

8/19

Extended ACLsBlocking RIP

Routing Updates

One example of using ACLs with UDP packets would be to block RIP

routing updates from passing out a particular interface using an ACL

such as the following:

Lab-X#config t

Lab-X(config)#access-list 150 deny udp any any eq rip

Lab-X(config)#access-list 150 permit ip any any

Lab-X(config)#int e0

Lab-X(config-if)#ip access-group 150 out

7/30/2019 Extended Access Control Lists

9/19

Important Concept for Extended

ACLsBoth ACLs below implicitly deny all other IP traffic, not just all other TCPtraffic. A common mistake many people make is assuming that because

they specified only TCP in the main statement(s), they need only to refer

to TCP in the final permit any statement (102 below).

The unplanned result would be that all ICMP and UDP traffic matching

the address/protocol criteria would be blocked (102 below).ACL 101s permit IP any any statement will allow all other traffic.

Lab-X#config t

Lab-X(config)#Access-list 101 deny tcp any 192.168.1.25 eq ftp

Lab-X(config)#Access-list 101 permit IP any any

Lab-X(config)#Access-list 102 deny tcp 10.0.0.0 0.255.255.255

192.168.1.1 eq ftp

Lab-X(config)#Access-list 102 permit TCP any any

Lab-X(config)#interface Fastethernet 0/0

Lab-X(config-if)#ip access-group 101 out

Lab-X(config-if)#ip access-group 102 in

7/30/2019 Extended Access Control Lists

10/19

Extended Access List Processing

7/30/2019 Extended Access Control Lists

11/19

Named ACLsBasics

The Cisco IOS release supports using named access lists rather thanthe traditional number designations. This ability to name a list makesthem easier to recognize and can make them easier to debug.

Another advantage is that it is possible to delete individual entries

from a specific ACL instead of erasing the entire list.

A couple things to consider when implementing named ACLs:

1. Names, like numbers, must be unique on each router.

2. Named ACLs do not work with IOS releases prior to 11.2.

The first step is to create the ACL using the following syntax:Router(config)#ip access-list {standard | extended} name

Example:

Lab-X(config)#ip access-list extended BlockInternet

7/30/2019 Extended Access Control Lists

12/19

Named ACLsExampleLab-X#conf tLab-X(config)#ip access-list ? (to see the options)

extended Extended Access List

log-update Control access list log updates

logging Control access list logging

standard Standard Access List

Lab-X(config)#ip access-list standard ProtectLAN

Lab-X(config-std-nacl)#deny 192.168.20.0 0.0.0.255

Lab-X(config-std-nacl)#deny 192.168.30.0 0.0.0.255

Lab-X(config-std-nacl)#permit any

Lab-X(config-std-nacl)#exit

Lab-X(config)#ip access-list extended FilterOutside

Lab-X(config-ext-nacl)#permit tcp any 192.168.5.0 0.0.0.255 established

Lab-X(config-ext-nacl)#deny icmp any 192.168.5.0 0.0.0.255Lab-X(config-ext-nacl)#permit ip any any

Lab-X(config-ext-nacl)#^Z

Lab-X#

Named ACLs are applied to interfaces the same as other ACLs.

7/30/2019 Extended Access Control Lists

13/19

ACL Placement

Standard ACLs must be placed close to the destination.

Extended ACLs should be placed close to the source.

7/30/2019 Extended Access Control Lists

14/19

ACLs and Firewall RoutersBorder routers are charged with providing network security frompotential attacks from outside the network. The figure shows thesimplest situation where the border router becomes the cleardemarcation between the network and the rest of the world.

Typically intruders come from the global Internet and thethousands of networks connected to it.

7/30/2019 Extended Access Control Lists

15/19

ACLs and Firewall RoutersAnother type of firewall implementation uses two or more routersto provide the security. The border router, A, is ultimatelyresponsible for securing the LAN(s).

The firewall router, F, is responsible for protecting both the sharedservers and the internal networks from attack from outside. In an

optimal solution, this would be a specialty device like Ciscos PIXbox, which combines hardware and software to secure theconnection. Whether a specialty device or a router with the firewallfeature set, ACLs will be a part of the solution.

7/30/2019 Extended Access Control Lists

16/19

Verifying ACLsLab-X#show ip interfaceEthernet0 is up, line protocol is upInternet address is 192.168.5.1/24Broadcast address is 255.255.255.255Address determined by non-volatile memoryMTU is 1500 bytesHelper address is not set

Directed broadcast forwarding is disabledMulticast reserved groups joined: 224.0.0.9Outgoing access list is 50Inbound access list is 70Proxy ARP is enabled

The show ip interface command will tell whether an inbound or

outbound access list has been applied to an interface. Rows 9 and 10

above contain the information. The rest of the lines do not pertain to

ACLs, so they have been omitted.

7/30/2019 Extended Access Control Lists

17/19

The show access-lists Command

Lab-X#show access-listsStandard IP access list 50

deny 192.168.1.10 logpermit any

Standard IP access list 75deny 192.168.17.123deny 192.168.1.10permit any

Lab-X#

The show access-lists command will display all access lists on therouter but does not show whether or where they are applied.

Another command, show ip access-lists, would include only IP access

lists. Both commands enable you to specify an ACL number or name

after the command to display just that ACL.

7/30/2019 Extended Access Control Lists

18/19

The show run CommandLab-X#show runhostname Lab-X

!

! (output abbreviated)

!

access-list 50 deny 192.168.1.10 log

access-list 50 permit anyaccess-list 75 deny 192.168.17.123

access-list 75 deny 192.168.1.10

access-list 75 permit any

!

One way to see your access lists and how they are applied is to use the

show run command to see the active configuration. The above lines

show the output of a show run command with some of the unrelated

lines removed.

7/30/2019 Extended Access Control Lists

19/19

Verifying Named ACLsLab-X#show run

! (output edited and omitted)ip access-list standard ProtectLANdeny 192.168.20.0 0.0.0.255deny 192.168.30.0 0.0.0.255permit any!ip access-list extended FilterOutside

permit tcp any 192.168.5.0 0.0.0.255 establisheddeny icmp any 192.168.5.0 0.0.0.255permit ip any any!Lab-X#show access-listStandard IP access list ProtectLAN

deny 192.168.20.0, wildcard bits 0.0.0.255

deny 192.168.30.0, wildcard bits 0.0.0.255permit anyExtended IP access list FilterOutside

permit tcp any 192.168.5.0 0.0.0.255 establisheddeny icmp any 192.168.5.0 0.0.0.255permit ip any any

Lab-X#