With Access Lists, you can filter traffic on your Cisco Router.

It filters only traffic coming in or going through your router. It does not filter traffic which origins from the router. Its kind of "Firewall"-Feature. You can permit or deny traffic from or to a network or host, and can filter on special ports. Its useable for "basic" security. For komplex Firewall settings, better use a "real" Firewall, because to much filtering can make the device slower, cause each paket has to be checked, and the more rulez are configured, the more the CPU of the router has to work.

There are two kinds of Access Lists on Cisco Routers 1. Standart ACLs -Numbered from 1-99 (and some higher ranges) -filter ONLY on SOURCE IP -needed to permit or deny a single source ip or source network to access another network or host 2. Extended ACLs -Numbered from 100-199 (and some higher ranges) -filter on Source IP and protocols and ports/applications -needed to filter only traffic from a specified host or network and specified protocols and ports ACLs can be identified by numbers, or by names.

Handling of Access-Lists

1. Configure some statements.

example1: Deny http and telnet access from a Network to an Host access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80 access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23 access-list 100 permit ip any any example2: Deny complete ip access from a network access-list 1 deny 143.43.43.0 0.0.0.255 access-list 1 permit any any example 3: Deny Ping from a network to a host access-list 101 deny icmp 132.43.4.0 0.0.0.255 host 145.52.54.9 access-list 101 permit ip any any You can also use command access-list 101 deny icmp 132.43.4.0 0.0.0.255 145.52.54.9 0.0.0.0 access-list 101 permit ip any any

2. Select the Interface where the Access List will filter pakets.
ALL the statements build ONE Access List. Bind the ACL on an interface with command "ip access-group <acl-number> <in or out>" interface e0

ip access-group 101 in Rules

1. "Last" deny statement of every ACL

At the end of EVERY access-list there is a "access-list deny ip any any" statement, which is invisible. Thats why we have to use the "access-list <nr> permit ip any any" statement at the end of OUR ACL.

2. From first to last

In filtering the packets, the router checks the statements of the ACL from the first to the last. When an statement is found as true, the next statements are not checked anymore. example access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80 access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23 access-list 100 permit ip any any If a host with IP 143.43.43.6/24 would try to access the Webserver 132.32.32.4 he would be denied, because of the first statement. The second and third statement would not be checked in that case. If the same host would try to access the telnet port of the Webserver, then the first statement would be checked. Because its NOT Port 80 which the host wants to reach, the second statement would be checked. The second statement denys telnet, and the host would not access the Webserver via Telnet.

3. Placement of ACLs
Put standart ACLs close to the Destination Host or Network which has to be protected Put extended ACLs close to the Source Hosts or Network, from where the traffic will origin.

4. You can put ONE ACL per Interface, per Protocol, per Direction
You cant bind more than one ACL to an Interface per Direction (incoming or outgoing).

5. Single statements of an ACL can NOT be deleted

If you have to change or delete a single statement, you have to delete the whole ACL and write a new one. Only in named access-lists it is possible to change or delete single statements of the ACL.

6. Different terms for different useage

There are different terms which can confuse. access-group Used to bind an access-list to an interface access-class Used to deny or permit telnet access to a router vty line.

7. synthax of extended ACL

access-list <number> <permit or deny> <protocol> <source> <wildcard> <destination> <wildcard> eq <portnumber or application>

example access-list 111 deny tcp 200.20.20.0 0.0.0.255 200.20.30.0 0.0.0.255 eq 23

8. synthax of standart ACL

access-list <number> <permit or deny> <source> <wildcard>