Académique Documents
Professionnel Documents
Culture Documents
By Joshua Erdman
Digital Foundation, inc.
The Cisco access control list (ACL) is probably the most commonly used object in the
IOS. It is not only used for packet filtering (a type of firewall) but also for selecting types
of traffic to be analyzed, forwarded, or influenced in some way.
As you create ACLs you assign a number to each list, however, each type of list is
limited to an assigned range of numbers. This makes it very easy to determine what type
of ACL you will be working with.
Here is an example:
This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255
You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they
use inverse subnet masks. Also realize that by default, there is an implicit deny added to
every access list. If you entered the command:
show access-list 10
The output would be:
Typically you would allow outgoing traffic and incoming initiated traffic. In other words,
you want your users to be able to connect to web servers on the internet for browsing but
you do not want anyone on the Internet to be able to connect to your machines. This will
require 2 ACLs:
• One to only limit our users on the company network to only use a web browser
(so this will block outgoing FTP, e-mail, Kazaa, napster, online gaming, etc.)
• The other access-list will only allow incoming traffic from the Internet that has
been initiated from a machine on the inside. This is called an established
connection.
Let's see what our access list would look like for starters:
Assumptions:
internal network: 63.36.9.0
ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80
ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
ACL 101
As you can see, ACL 101 says to permit traffic originating from any address on the
63.36.9.0 network. The 'any' statement means that the traffic is allowed to have any
destination address with the limitation of going to port 80 (which is the web port for
HTTP). This is still only half of the solution. If you only use this access list you have
totally accomplished limiting your users from doing nothing more on the internet than
just be able to browse from website to website. However, you have taken no action on the
incoming trafic. The Internet still has full access to all the IPs and all the ports. This
leaves you vulnerable.
ACL 102
Since you only want your users to be able to browse the Internet, you must block all
incoming traffic accept for the established connections in which the websites are replying
to a computer on your network. Doing this is impossible unless you use the 'established'
command.
Now that we are familiar with the 'established' command, ACL 102 simply states to
permit established traffic from anywhere to all computers within our 63.36.9.0 network.
In this situation this works just as good, but because it is not as specific, it is considered a
hole or an area of vulnerability (especially if you ever got another block of IP addresses).
IP
access-list 1-99 {permit|deny} address mask
Variable Definition
1-99 Standard IP access lists are represented by a number ranging
from 1-99 or text names with IOS 11.2 or greater.
{permit|deny} Used to specify the nature of the access list, either a permit or
deny statement.
address The IP address of the source.
mask A wildcard mask, or inverse mask, applied to determine which
bits of source address are significant.
Extended Access List Syntax
IP
access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask
[lt|gt|eq|neq] [source-port]
Variable Definition
100-199 Extended IP access lists are represented by a number
ranging from 100-199 or text names with IOS 11.2 or
greater.
{permit|deny} Used to specify the nature of the access list either a permit
or deny statement.
{ip|tcp|udp|icmp} The IP protocol to be filtered can be IP (includes all
protocols in the TCP/IP suite) TCP,UDP,ICMP,or others.
source The IP address of the source
source-mask A wildcard mask, or inverse mask, applied to determine
which bits of source address are significant.
[lt|gt|eq|neq] Can contain lt (less than), gt (greater than), eq (equal to),
or neq (not equal to). It is used if an extended list filters
by a specific port number or range of ports.
[source-port] If necessary, the source port number of the protocol to be
filtered.
destination The IP address of the destination
dest-mask A wildcard mask, or inverse mask, applied to determine
which bits of destination address are significant.
[lt|gt|eq|neq] Can contain lt (less than), gt (greater than), eq (equal to),
or neq (not equal to). It is used if an extended list filters
by a specific port number or range of ports.
[dest-port] If necessary, the destination port number of the protocol
to be filtered.
[log] Turns on logging of access list activity.