You are on page 1of 7

Cisco Access Control Lists (ACL

)
By Joshua Erdman Digital Foundation, inc. The Cisco access control list (ACL) is probably the most commonly used object in the IOS. It is not only used for packet filtering (a type of firewall) but also for selecting types of traffic to be analyzed, forwarded, or influenced in some way.

Access Control List Types
Cisco ACLs are divided into types. Standard IP, Extended IP, IPX, Appletalk, etc. Here we will just go over the standard and extended access lists for TCP/IP. As you create ACLs you assign a number to each list, however, each type of list is limited to an assigned range of numbers. This makes it very easy to determine what type of ACL you will be working with.

TCP/IP Access Lists
You can have up to 99 Standard IP Access Lists ranging in number from 1 to 99, the Extended IP Access Lists number range is assigned from 100 to 199. The most common use of the Extended IP access list is for creating a packet filtering firewall. This is where you specify the allowed destinations of each packet from an allowed source.

Standard IP Access Lists
A Standard Access List only allows you to permit or deny traffic from specific IP addresses. The destination of the packet and the ports involved do not matter. Here is an example: access-list 10 permit 192.168.3.0 0.0.0.255 This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255 You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use inverse subnet masks. Also realize that by default, there is an implicit deny added to every access list. If you entered the command: show access-list 10 The output would be: access-list 10 permit 192.168.3.0 0.0.0.255 access-list 10 deny any

In other words. it is very granular and allows you to be very specific. Typically you would allow outgoing traffic and incoming initiated traffic.0. It also allows you to specify different types of traffic such as ICMP. e-mail.0 0. This is still only half of the solution.36. This is called an established connection.9. TCP.) • The other access-list will only allow incoming traffic from the Internet that has been initiated from a machine on the inside.9.Applied to traffic entering the office (incoming) ACL 101 access-list 101 permit tcp 63. This will require 2 ACLs: • One to only limit our users on the company network to only use a web browser (so this will block outgoing FTP. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80 (which is the web port for HTTP). napster. Kazaa.0.255 any eq 80 ACL 102 access-list 102 permit tcp any 63.9. etc.9. etc. If you only use this access list you have totally accomplished limiting your users from doing nothing more on the internet than just be able to browse from website to website.36. ACL 101 says to permit traffic originating from any address on the 63. UDP. you want your users to be able to connect to web servers on the internet for browsing but you do not want anyone on the Internet to be able to connect to your machines.0. Let's see what our access list would look like for starters: Assumptions: internal network: 63. However.0 0. online gaming. Needless to say.0.Applied to traffic leaving the office (outgoing) access-list 102 .0 access-list 101 . you have taken no action on the .36.Extended IP Access Lists Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port.36.0 network.255 established ACL 101 As you can see. If you intend to create a packet filtering firewall to protect your network it is an Extended ACL that you will need to create.

ACL 102 Since you only want your users to be able to browse the Internet. you must block all incoming traffic accept for the established connections in which the websites are replying to a computer on your network. As of right now they are an inactive list doing nothing. Our next article will cover applying ACLs on interfaces and how to specify if the ACL is for incoming or outgoing traffic on that interface. it is considered a hole or an area of vulnerability (especially if you ever got another block of IP addresses). Activating an Access Control List Now that you have created these ACLs they are useless until you declare them to be used in some way. Doing this is impossible unless you use the 'established' command. but because it is not as specific.0 network.incoming trafic. Now that we are familiar with the 'established' command. You may ask why access-list 102 does not read: access-list 102 permit tcp any any established In this situation this works just as good. The Internet still has full access to all the IPs and all the ports. ACL 102 simply states to permit established traffic from anywhere to all computers within our 63.36.9. This leaves you vulnerable. .

e will match only 1 host) Clears extended access lists counter of the number of matches per line of the access list. Shows only the IPX access lists configured on the router.0 (i. Applies an IP access list to an interface. Shows only the parameters for the access list specified.255 in access list.255. This command does not show you the interface the list is configured on.Access List Commands Command show access-lists Description Displays all access lists and their parameters configured on the router. Shows which interfaces have IPX access lists on them. This command doesn't show which interface the list is configured on.255. Used for all sockets in extended IPX access lists. Keyword that specifies that an address should have a wildcard mask of 0. Keyword used to represent all hosts or networks. Shows only the IP access lists configured on the router. Applies to any IPX network or any protocol when used in extended IPX access lists. Applies an IPX access list to an interface. Shows the access lists and which interfaces have access lists set.0 255. show access-list [list #] show ip access-list show ipx access-list show ip interface show ipx interface show running-config any host clear access-list counter [list#] -1 0 ip access-group ipx access-group ipx input-sap-filter ipx output-sap-filter . replaces 0.0.0.0. Shows which interfaces have IP access lists on them.0. Applies an inbound IPX SAP filter to an interface. Applies an outbound IPX SAP filter to an interface.

2 or greater. The IP address of the source. Used to specify the nature of the access list. either a permit or deny statement. or inverse mask. {permit|deny} address mask . A wildcard mask. applied to determine which bits of source address are significant.Access List Ranges Access List Type Standard IP Access Lists Extended IP Access Lists Standard IPX Access Lists Extended IPX Access Lists IPX SAP Filters Number 1-99 100-199 800-899 900-999 1000-1099 Standard Access List Syntax IP access-list 1-99 {permit|deny} address mask Variable 1-99 Definition Standard IP access lists are represented by a number ranging from 1-99 or text names with IOS 11.

or neq (not equal to). the destination port number of the protocol to be filtered. It is used if an extended list filters by a specific port number or range of ports.UDP. or neq (not equal to). gt (greater than). applied to determine which bits of destination address are significant. The IP protocol to be filtered can be IP (includes all protocols in the TCP/IP suite) TCP.or others.2 or greater. Can contain lt (less than). If necessary. eq (equal to). {permit|deny} {ip|tcp|udp|icmp} source source-mask [lt|gt|eq|neq] [source-port] destination dest-mask [lt|gt|eq|neq] [dest-port] [log] . Turns on logging of access list activity. Can contain lt (less than). the source port number of the protocol to be filtered. If necessary. The IP address of the destination A wildcard mask. Used to specify the nature of the access list either a permit or deny statement. It is used if an extended list filters by a specific port number or range of ports. applied to determine which bits of source address are significant. The IP address of the source A wildcard mask. gt (greater than).Extended Access List Syntax IP access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask [lt|gt|eq|neq] [source-port] destination dest-mask [lt|gt|eq|neq] [dest-port] [log] Variable 100-199 Definition Extended IP access lists are represented by a number ranging from 100-199 or text names with IOS 11.ICMP. or inverse mask. or inverse mask. eq (equal to).