Extended Access Control Lists

Extended ACLs Can Filter on One or Many Data Fields

Extended ACLs Creating an Extended Access List

As with standard lists, the access-list command is used to create each condition of the list using one condition per line. The syntax for each line in the list is:
access-list access-list-number {permit | deny} {protocol | protocol keyword} {source | any} [source-wildcard] [source port] {destination | any} [destination-wildcard] [destination port] [options]

Example:
Lab-X#config t Lab-X(config)#Access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq www Lab-X(config)#Access-list 101 deny tcp any any eq ftp Lab-X(config)#Access-list 101 permit ip any any Lab-X(config)#interface Fastethernet 0/0 Lab-X(config-if)#ip access-group 101 out

The access list-number range for IP extended access lists is 100 to 199.

The protocol entry defines the protocol to be filtered, such as IP, TCP, UDP, or ICMP for example. Because IP headers transport TCP, UDP, and ICMP, it is important to specify the protocol or you could end up inadvertently filtering more than you want to.

Extended ACLs TCP Relational Operators

The access list TCP protocol option supports both source and destination ports. You can access each by using either the port number or a mnemonic or acronym. Keyword relational operators such as those shown in the following code output precede these:
Lab-X(config)#access-list 101 deny tcp any ? A.B.C.D Destination address. any Any destination host. eq Match only packets on a given port number. gt Match only packets with a greater port number. host A single destination host. lt Match only packets with a lower port number. neq Match only packets not on a given port number. range Match only packets in the range of port numbers.

Extended ACLs Protocol Identifiers

After choosing a relational operator, specify a mnemonic (or acronym) or port number, such as the following code output for the TCP port names:
Lab-X(config)#access-list 101 deny tcp any eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) --Some output omitted uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80)

UDP and TCP Port Numbers

Extended ACLs TCP Example

The first statement could have used the mnemonic telnet in place of 23 with exactly the same result. The one advantage to using the mnemonic is that it is more intuitive to anyone having to support the device.
Lab-X#config t Lab-X(config)#access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23 Lab-X(config)#access-list 101 permit ip any any Lab-X(config)#interface fastethernet 0/1 Lab-X(config-if)#ip access-group 101 in

If you want to block network 192.168.5.0 from being able to surf the Web while still allowing other services such as FTP, use this code:
Lab-X#config t Lab-X(config)#access-list 106 deny tcp 195.168.5.0 0.0.0.255 any eq www Lab-X(config)#access-list 106 permit ip any any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 106 in

Extended ACLs Blocking RIP Routing Updates

One example of using ACLs with UDP packets would be to block RIP routing updates from passing out a particular interface using an ACL such as the following:
Lab-X#config t Lab-X(config)#access-list 150 deny udp any any eq rip Lab-X(config)#access-list 150 permit ip any any Lab-X(config)#int e0 Lab-X(config-if)#ip access-group 150 out

Important Concept for Extended ACLs

Both ACLs below implicitly deny all other IP traffic, not just all other TCP traffic. A common mistake many people make is assuming that because they specified only TCP in the main statement(s), they need only to refer to TCP in the final permit any statement (102 below). The unplanned result would be that all ICMP and UDP traffic matching the address/protocol criteria would be blocked (102 below). ACL 101s permit IP any any statement will allow all other traffic.
Lab-X#config t Lab-X(config)#Access-list 101 deny tcp any 192.168.1.25 eq ftp Lab-X(config)#Access-list 101 permit IP any any Lab-X(config)#Access-list 102 deny tcp 10.0.0.0 0.255.255.255 192.168.1.1 eq ftp Lab-X(config)#Access-list 102 permit TCP any any Lab-X(config)#interface Fastethernet 0/0 Lab-X(config-if)#ip access-group 101 out Lab-X(config-if)#ip access-group 102 in

Extended Access List Processing

Named ACLs Basics

The Cisco IOS release supports using named access lists rather than the traditional number designations. This ability to name a list makes them easier to recognize and can make them easier to debug. Another advantage is that it is possible to delete individual entries from a specific ACL instead of erasing the entire list. A couple things to consider when implementing named ACLs: 1. Names, like numbers, must be unique on each router. 2. Named ACLs do not work with IOS releases prior to 11.2. The first step is to create the ACL using the following syntax:
Router(config)#ip access-list {standard | extended} name

Example:
Lab-X(config)#ip access-list extended BlockInternet

Named ACLs Example

Lab-X#conf t Lab-X(config)#ip access-list ? (to see the options) extended Extended Access List log-update Control access list log updates logging Control access list logging standard Standard Access List Lab-X(config)#ip access-list standard ProtectLAN Lab-X(config-std-nacl)#deny 192.168.20.0 0.0.0.255 Lab-X(config-std-nacl)#deny 192.168.30.0 0.0.0.255 Lab-X(config-std-nacl)#permit any Lab-X(config-std-nacl)#exit Lab-X(config)#ip access-list extended FilterOutside Lab-X(config-ext-nacl)#permit tcp any 192.168.5.0 0.0.0.255 established Lab-X(config-ext-nacl)#deny icmp any 192.168.5.0 0.0.0.255 Lab-X(config-ext-nacl)#permit ip any any Lab-X(config-ext-nacl)#^Z Lab-X#

Named ACLs are applied to interfaces the same as other ACLs.

ACL Placement

Standard ACLs must be placed close to the destination. Extended ACLs should be placed close to the source.

ACLs and Firewall Routers

Border routers are charged with providing network security from potential attacks from outside the network. The figure shows the simplest situation where the border router becomes the clear demarcation between the network and the rest of the world. Typically intruders come from the global Internet and the thousands of networks connected to it.

ACLs and Firewall Routers

Another type of firewall implementation uses two or more routers to provide the security. The border router, A, is ultimately responsible for securing the LAN(s). The firewall router, F, is responsible for protecting both the shared servers and the internal networks from attack from outside. In an optimal solution, this would be a specialty device like Ciscos PIX box, which combines hardware and software to secure the connection. Whether a specialty device or a router with the firewall feature set, ACLs will be a part of the solution.

Verifying ACLs
Lab-X#show ip interface Ethernet0 is up, line protocol is up Internet address is 192.168.5.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 50 Inbound access list is 70 Proxy ARP is enabled

The show ip interface command will tell whether an inbound or outbound access list has been applied to an interface. Rows 9 and 10 above contain the information. The rest of the lines do not pertain to ACLs, so they have been omitted.

The show access-lists Command

Lab-X#show access-lists Standard IP access list 50 deny 192.168.1.10 log permit any Standard IP access list 75 deny 192.168.17.123 deny 192.168.1.10 permit any Lab-X#

The show access-lists command will display all access lists on the router but does not show whether or where they are applied. Another command, show ip access-lists, would include only IP access lists. Both commands enable you to specify an ACL number or name after the command to display just that ACL.

The show run Command

Lab-X#show run hostname Lab-X ! ! (output abbreviated) ! access-list 50 deny 192.168.1.10 log access-list 50 permit any access-list 75 deny 192.168.17.123 access-list 75 deny 192.168.1.10 access-list 75 permit any !

One way to see your access lists and how they are applied is to use the show run command to see the active configuration. The above lines show the output of a show run command with some of the unrelated lines removed.

Verifying Named ACLs

Lab-X#show run ! (output edited and omitted) ip access-list standard ProtectLAN deny 192.168.20.0 0.0.0.255 deny 192.168.30.0 0.0.0.255 permit any ! ip access-list extended FilterOutside permit tcp any 192.168.5.0 0.0.0.255 established deny icmp any 192.168.5.0 0.0.0.255 permit ip any any ! Lab-X#show access-list Standard IP access list ProtectLAN deny 192.168.20.0, wildcard bits 0.0.0.255 deny 192.168.30.0, wildcard bits 0.0.0.255 permit any Extended IP access list FilterOutside permit tcp any 192.168.5.0 0.0.0.255 established deny icmp any 192.168.5.0 0.0.0.255 permit ip any any Lab-X#