Cisco Access Control Lists (ACL)

By Joshua Erdman
Digital Foundation, inc.

The Cisco access control list (ACL) is probably the most commonly used object in the
IOS. It is not only used for packet filtering (a type of firewall) but also for selecting types
of traffic to be analyzed, forwarded, or influenced in some way.

Access Control List Types

Cisco ACLs are divided into types. Standard IP, Extended IP, IPX, Appletalk, etc. Here
we will just go over the standard and extended access lists for TCP/IP.

As you create ACLs you assign a number to each list, however, each type of list is
limited to an assigned range of numbers. This makes it very easy to determine what type
of ACL you will be working with.

TCP/IP Access Lists

You can have up to 99 Standard IP Access Lists ranging in number from 1 to 99, the
Extended IP Access Lists number range is assigned from 100 to 199. The most common
use of the Extended IP access list is for creating a packet filtering firewall. This is where
you specify the allowed destinations of each packet from an allowed source.

Standard IP Access Lists

A Standard Access List only allows you to permit or deny traffic from specific IP
addresses. The destination of the packet and the ports involved do not matter.

Here is an example:

access-list 10 permit 192.168.3.0 0.0.0.255

This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255

You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they
use inverse subnet masks. Also realize that by default, there is an implicit deny added to
every access list. If you entered the command:
show access-list 10
The output would be:

access-list 10 permit 192.168.3.0 0.0.0.255

access-list 10 deny any
Extended IP Access Lists
Extended ACLs allow you to permit or deny traffic from specific IP addresses to a
specific destination IP address and port. It also allows you to specify different types of
traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very granular and allows you
to be very specific. If you intend to create a packet filtering firewall to protect your
network it is an Extended ACL that you will need to create.

Typically you would allow outgoing traffic and incoming initiated traffic. In other words,
you want your users to be able to connect to web servers on the internet for browsing but
you do not want anyone on the Internet to be able to connect to your machines. This will
require 2 ACLs:

• One to only limit our users on the company network to only use a web browser
(so this will block outgoing FTP, e-mail, Kazaa, napster, online gaming, etc.)

• The other access-list will only allow incoming traffic from the Internet that has
been initiated from a machine on the inside. This is called an established
connection.

Let's see what our access list would look like for starters:

Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

ACL 101

As you can see, ACL 101 says to permit traffic originating from any address on the
63.36.9.0 network. The 'any' statement means that the traffic is allowed to have any
destination address with the limitation of going to port 80 (which is the web port for
HTTP). This is still only half of the solution. If you only use this access list you have
totally accomplished limiting your users from doing nothing more on the internet than
just be able to browse from website to website. However, you have taken no action on the
incoming trafic. The Internet still has full access to all the IPs and all the ports. This
leaves you vulnerable.

ACL 102

Since you only want your users to be able to browse the Internet, you must block all
incoming traffic accept for the established connections in which the websites are replying
to a computer on your network. Doing this is impossible unless you use the 'established'
command.

Now that we are familiar with the 'established' command, ACL 102 simply states to
permit established traffic from anywhere to all computers within our 63.36.9.0 network.

You may ask why access-list 102 does not read:

access-list 102 permit tcp any any established

In this situation this works just as good, but because it is not as specific, it is considered a
hole or an area of vulnerability (especially if you ever got another block of IP addresses).

Activating an Access Control List

Now that you have created these ACLs they are useless until you declare them to be used
in some way. As of right now they are an inactive list doing nothing. Our next article will
cover applying ACLs on interfaces and how to specify if the ACL is for incoming or
outgoing traffic on that interface.
Access List Commands
Command Description
show access-lists Displays all access lists and their parameters
configured on the router. This command doesn't show
which interface the list is configured on.
show access-list [list Shows only the parameters for the access list
#]
specified. This command does not show you the
interface the list is configured on.
show ip access-list Shows only the IP access lists configured on the router.
show ipx access-list Shows only the IPX access lists configured on the
router.
show ip interface Shows which interfaces have IP access lists on them.
show ipx interface Shows which interfaces have IPX access lists on them.
show running-config Shows the access lists and which interfaces have access
lists set.
any Keyword used to represent all hosts or networks,
replaces 0.0.0.0 255.255.255.255 in access list.
host Keyword that specifies that an address should have a
wildcard mask of 0.0.0.0 (i.e will match only 1 host)
clear access-list Clears extended access lists counter of the number of
counter [list#]
matches per line of the access list.
-1 Applies to any IPX network or any protocol when used
in extended IPX access lists.
0 Used for all sockets in extended IPX access lists.
ip access-group Applies an IP access list to an interface.
ipx access-group Applies an IPX access list to an interface.
ipx input-sap-filter Applies an inbound IPX SAP filter to an interface.
ipx output-sap-filter Applies an outbound IPX SAP filter to an interface.
 Access List Ranges
Access List Type Number
Standard IP Access Lists 1-99
Extended IP Access Lists 100-199
Standard IPX Access Lists 800-899
Extended IPX Access Lists 900-999
IPX SAP Filters 1000-1099

Standard Access List Syntax

IP
access-list 1-99 {permit|deny} address mask

Variable Definition
1-99 Standard IP access lists are represented by a number ranging
from 1-99 or text names with IOS 11.2 or greater.
{permit|deny} Used to specify the nature of the access list, either a permit or
deny statement.
address The IP address of the source.
mask A wildcard mask, or inverse mask, applied to determine which
bits of source address are significant.
Extended Access List Syntax

IP
access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask

[lt|gt|eq|neq] [source-port]

destination dest-mask [lt|gt|eq|neq] [dest-port] [log]

Variable Definition
100-199 Extended IP access lists are represented by a number
ranging from 100-199 or text names with IOS 11.2 or
greater.
{permit|deny} Used to specify the nature of the access list either a permit
or deny statement.
{ip|tcp|udp|icmp} The IP protocol to be filtered can be IP (includes all
protocols in the TCP/IP suite) TCP,UDP,ICMP,or others.
source The IP address of the source
source-mask A wildcard mask, or inverse mask, applied to determine
which bits of source address are significant.
[lt|gt|eq|neq] Can contain lt (less than), gt (greater than), eq (equal to),
or neq (not equal to). It is used if an extended list filters
by a specific port number or range of ports.
[source-port] If necessary, the source port number of the protocol to be
filtered.
destination The IP address of the destination
dest-mask A wildcard mask, or inverse mask, applied to determine
which bits of destination address are significant.
[lt|gt|eq|neq] Can contain lt (less than), gt (greater than), eq (equal to),
or neq (not equal to). It is used if an extended list filters
by a specific port number or range of ports.
[dest-port] If necessary, the destination port number of the protocol
to be filtered.
[log] Turns on logging of access list activity.