Extended Access-List example on Cisco Router

In a previous lesson I covered the standard access-list, now it’s time to take a look at the extended access-list. This is the topology we’ll use:

standard access list example

Using the extended access-list we can create far more complex statements. Let’s say we have the following requirement:

  • Traffic from network 1.1.1.0 /24 is allowed to connect to the HTTP server on R2, but they are only allowed to connect to IP address 2.2.2.2.
  • All other traffic has to be denied.

Now we need to translate this to an extended access-list statement. Basically they look like this:

[source] + [ source port] to [destination] + [destination port]

Let’s walk through the configuration together:

R2(config)#access-list 100 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment

First of all we need to select a permit or deny. By the way you can also use a remark. You can use this to add a comment to your access-list statements. I’ll select the permit…

R2(config)#access-list 100 permit ?
  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco's EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

Now we have a lot more options. Since I want something that permits HTTP traffic we’ll have to select TCP. Let’s continue:

R2(config)#access-list 100 permit tcp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host

Now we have to select a source. I can either type in a network address with a wildcard or I can use the any or host keyword. These two keywords are “shortcuts”, let me explain:

  • If you type “0.0.0.0 255.255.255.255” you have all networks. Instead of typing this we can use the any keyword.
  • If you type something like “2.2.2.2 0.0.0.0” we are matching a single IP address. Instead of typing the “0.0.0.0” wildcard we can use the keyword host.

I want to select network 1.1.1.0 /24 as the source so this is what we will do:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ?
  A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers

Besides selecting the source we can also select the source port number. Keep in mind that when I connect from R1 to R2’s HTTP server that my source port number will be random so I’m not going to specify a source port number here.

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  <cr>

We will select the destination which is IP address 2.2.2.2. I could have typed “2.2.2.2 0.0.0.0” but it’s easier to use the host keyword. Besides the destination IP address we can select a destination port number with the eq keyword:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80

This will be the end result. Before we apply it to the interface I will add one useful extra statement:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

524 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Edmundo,

    Adding the log keyword will show all denied packets in your console. This is useful for troubleshooting, debugging or labbing.

  2. Hi Srini,

    Let’s take a look at the different IP options:

    R1(config-ext-nacl)#permit ip any any ?
      dscp        Match packets with given dscp value
      fragments   Check non-initial fragments
      log         Log matches against this entry
      log-input   Log matches against this entry, including input interface
      option      Match packets with given IP Options value
      precedence  Match packets with given precedence value
      reflect     Create reflexive access list entry
      time-range  Specify a time-range
      tos         Match packets with given TOS value
      ttl         Ma
    ... Continue reading in our forum

  3. When the access-list is applied inbound on Robocop, you’ll need to permit the ICMP return traffic from ED209. Something like this:

    permit icmp host 192.168.12.1 host 192.168.12.2

    Or you could make it more “specific” by adding echo-reply at the end of that statement.

  4. The safest approach is to set QoS in both directions. At my company, we are concerned with prioritizing VOIP, print jobs, and SSH. VOIP is a bit easier since the VOIP server and phones automatically mark their traffic as DSCP EF, so we just trust those markings, but with the others, we do, in fact, mark them similar to the example I provided earlier where the classifier for return trip looks to the source port, not the destination.

    If you knew that your remote sites, for example, had more of a problem with downloads saturating the bandwidth than uploads, you

    ... Continue reading in our forum

  5. Hello Rene/Laz,
    I apologize because my question may not be completely relevant to the topic. However, I would really like to get some help if possible.

    Would you please provide me a template for Border inbound ACL at the internet WAN router on the WAN interface? So far this is what I have found. Please let me know if I am missing anything.

    ip access-list extended INBOUND
    permit icmp any any echo
    permit icmp any any echo-reply
    permit icmp any any unreachable
    deny icmp any any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16..0.0 0.15.255.255 any
    deny ip 192.168
    ... Continue reading in our forum

37 more replies! Ask a question or join the discussion by visiting our Community Forum