Tags: ,


Notable Replies

  1. Hi Edmundo,

    Adding the log keyword will show all denied packets in your console. This is useful for troubleshooting, debugging or labbing.

  2. Hi Srini,

    Let’s take a look at the different IP options:

    R1(config-ext-nacl)#permit ip any any ?
      dscp        Match packets with given dscp value
      fragments   Check non-initial fragments
      log         Log matches against this entry
      log-input   Log matches against this entry, including input interface
      option      Match packets with given IP Options value
      precedence  Match packets with given precedence value
      reflect     Create reflexive access list entry
      time-range  Specify a time-range
      tos         Match packets with given TOS value
      ttl         Match packets with given TTL value
    

    DSCP refers to the DSCP value in the TOS byte:

    Fragments refers to fragmented IP packets.

    Log will show matched packets on the console (like I did in this example). Log-input does the same but also allows you to select an interface.

    Option refers to the option field in the header…there are a lot of options here.

    Precedence refers to the precedence value in the TOS byte:

    Reflect is for reflexive access-lists:

    Time-range for time-based access-lists:

    TOS is for some of the non-DSCP or non-precedence values that you can use in the TOS byte.

    TTL is to match on a certain time-to-live value in the IP packet header.

    There’s also a big list for TCP options:

    R1(config-ext-nacl)#permit tcp any any ?
      ack          Match on the ACK bit
      dscp         Match packets with given dscp value
      eq           Match only packets on a given port number
      established  Match established connections
      fin          Match on the FIN bit
      fragments    Check non-initial fragments
      gt           Match only packets with a greater port number
      log          Log matches against this entry
      log-input    Log matches against this entry, including input interface
      lt           Match only packets with a lower port number
      match-all    Match if all specified flags are present
      match-any    Match if any specified flag is present
      neq          Match only packets not on a given port number
      option       Match packets with given IP Options value
      precedence   Match packets with given precedence value
      psh          Match on the PSH bit
      range        Match only packets in the range of port numbers
      reflect      Create reflexive access list entry
      rst          Match on the RST bit
      syn          Match on the SYN bit
      time-range   Specify a time-range
      tos          Match packets with given TOS value
      ttl          Match packets with given TTL value
      urg          Match on the URG bit
    

    Some of these options refer to the IP packet (dscp, option, precedence, tos, ttl). The established is an interesting one…

    Established checks TCP headers to see if the ACK bit is enabled, after the three way handshake every TCP header has the ACK bit enabled. You can create an ACL statement that only allows “established” sessions with this. We don’t use it anymore…it has been replaced by:



    Let me know if you want to know some specific options.

    Rene

  3. When the access-list is applied inbound on Robocop, you’ll need to permit the ICMP return traffic from ED209. Something like this:

    permit icmp host 192.168.12.1 host 192.168.12.2

    Or you could make it more “specific” by adding echo-reply at the end of that statement.

  4. Hi Rene,

    Thanks for your very nice article …
    I want to know what about the command "ip prefix-list " . It is used to classify/select traffic. Want to know more about this . Thx

    I didn’t understand the Andrew statement …

    ip access-list extended ACL_TELNET-CLIENT-2-SERVER
    **permit tcp host <CLIENT> host <SERVER> eq 23** [Can’t understand the syntax ]

    br//zaman

  5. Hello Rene/Laz,
    I apologize because my question may not be completely relevant to the topic. However, I would really like to get some help if possible.

    Would you please provide me a template for Border inbound ACL at the internet WAN router on the WAN interface? So far this is what I have found. Please let me know if I am missing anything.

    ip access-list extended INBOUND
    permit icmp any any echo
    permit icmp any any echo-reply
    permit icmp any any unreachable
    deny icmp any any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16..0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip host 0.0.0.0 any
    permit ip any any
    

    Thank you in advance.

Continue the discussion forum.networklessons.com

35 more replies!

Participants