In a previous lesson I covered the standard access-list, now it’s time to take a look at the extended access-list. This is the topology we’ll use:
Using the extended access-list we can create far more complex statements. Let’s say we have the following requirement:
- Traffic from network 1.1.1.0 /24 is allowed to connect to the HTTP server on R2, but they are only allowed to connect to IP address 2.2.2.2.
- All other traffic has to be denied.
Now we need to translate this to an extended access-list statement. Basically they look like this:
[source] + [ source port] to [destination] + [destination port]Let’s walk through the configuration together:
R2(config)#access-list 100 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry commentFirst of all we need to select a permit or deny. By the way you can also use a remark. You can use this to add a comment to your access-list statements. I’ll select the permit…
R2(config)#access-list 100 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram ProtocolNow we have a lot more options. Since I want something that permits HTTP traffic we’ll have to select TCP. Let’s continue:
R2(config)#access-list 100 permit tcp ?
A.B.C.D Source address
any Any source host
host A single source hostNow we have to select a source. I can either type in a network address with a wildcard or I can use the any or host keyword. These two keywords are “shortcuts”, let me explain:
- If you type “0.0.0.0 255.255.255.255” you have all networks. Instead of typing this we can use the any keyword.
- If you type something like “2.2.2.2 0.0.0.0” we are matching a single IP address. Instead of typing the “0.0.0.0” wildcard we can use the keyword host.
I want to select network 1.1.1.0 /24 as the source so this is what we will do:
R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbersBesides selecting the source we can also select the source port number. Keep in mind that when I connect from R1 to R2’s HTTP server that my source port number will be random so I’m not going to specify a source port number here.
R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>We will select the destination which is IP address 2.2.2.2. I could have typed “2.2.2.2 0.0.0.0” but it’s easier to use the host keyword. Besides the destination IP address we can select a destination port number with the eq keyword:
R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80This will be the end result. Before we apply it to the interface I will add one useful extra statement:
Hi Srini,
Let’s take a look at the different IP options:
... Continue reading in our forumWhen the access-list is applied inbound on Robocop, you’ll need to permit the ICMP return traffic from ED209. Something like this:
permit icmp host 192.168.12.1 host 192.168.12.2Or you could make it more “specific” by adding echo-reply at the end of that statement.
The safest approach is to set QoS in both directions. At my company, we are concerned with prioritizing VOIP, print jobs, and SSH. VOIP is a bit easier since the VOIP server and phones automatically mark their traffic as DSCP EF, so we just trust those markings, but with the others, we do, in fact, mark them similar to the example I provided earlier where the classifier for return trip looks to the source port, not the destination.
If you knew that your remote sites, for example, had more of a problem with downloads saturating the bandwidth than uploads, you
... Continue reading in our forumHello Rene/Laz,
I apologize because my question may not be completely relevant to the topic. However, I would really like to get some help if possible.
Would you please provide me a template for Border inbound ACL at the internet WAN router on the WAN interface? So far this is what I have found. Please let me know if I am missing anything.
... Continue reading in our forumHello AZM
It’s a good start and you cover most of the issues that can affect the edge. You will also need to examine your network and see what additional traffic you can deny, that is, traffic that you know is invalid for your network. For example, if you will never have an FTP session initiated from the Internet to an internal host, you can block that particular port as well.
Take a look at this Cisco documentation that describes best practices for ACLs at the edge, as they are the first line of defense of your network:
https://www.cisco.com/c/en/us/support/
... Continue reading in our forum