Cisco Access Control Lists (ACL)

By J oshua Erdman
Digital Foundation
The Cisco access control list (ACL) is probably the most commonly used object in the IOS. It is
not only used for packet filtering (a type of firewall) but also for selecting types of traffic to be
analyzed, forwarded, or influenced in some way.
Access Control List Types
Cisco ACLs are divided into types. Standard IP, Extended IP, IPX, Appletalk, etc. Here we will
just go over the standard and extended access lists for TCP/IP.
As you create ACLs you assign a number to each list, however, each type of list is limited to an
assigned range of numbers. This makes it very easy to determine what type of ACL you will be
working with.
TCP/IP Access Lists
You can have up to 99 Standard IP Access Lists ranging in number from 1 to 99, the Extended
IP Access Lists number range is assigned from 100 to 199. The most common use of the
Extended IP access list to is create a packet filtering firewall. This is where you specify the
allowed destinations of each packet from an allowed source.
Standard IP Access Lists
A Standard Access List only allows you to permit or deny traffic from specific IP addresses.
The destination of the packet and the ports involved do not matter.
Here is an example:
access-list 10 permit 192.168.3.0 0.0.0.255
This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255
You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use
inverse subnet masks. Also realize that by default, there is an implicit deny added to every
access list. If you entered the command:
show access-list 10
The output would be:
access-list 10 permit 192.168.3.0 0.0.0.255
access-list 10 deny any
Extended IP Access Lists
Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific
destination IP address and port. It also allows you to specify different types of traffic such as
ICMP, TCP, UDP, etc. Needless to say, it is very grangular and allows you to be very specific.
If you intend to create a packet filtering firewall to protect your network it is an Extended ACL
that you will need to create.
Typically you would allow outgoing traffic and incoming initiated traffic. In other words, you
want your users to be able to connect to web servers on the internet for browsing but you do
not want anyone on the Internet to be able to connect to your machines. This will require 2
ACLs. One to only limit our users on the company network to only use a web browser (so this
will block outgoing FTP, e-mail, Kazaa, napster, online gaming, etc.) The other access-list
will only allow incoming traffic from the Internet that has been initiated from a machine
on the inside. This is called an established connection. Let's see what our access list
would look like for starters:
Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
ACL 101
As you can see, ACL 101 says to permit traffic originating from any address on the 63.36.9.0
network. The 'any' statement means that the traffic is allowed to have any destination address
with the limitation of going to port 80 (which is the web port for HTTP). This is still only half of
the solution. If you only use this access list you have totally accomplished limiting your users
from doing nothing more on the internet than just be able to browse from website to website.
However, you have taken no action on the incoming trafic. The Internet still has full access to
all the IPs and all the ports. This leaves you vulnerable.
ACL 102
Since you only want your users to be able to browse the Internet, you must block all incoming
traffic accept for the established connections in which the websites are replying to a computer
on your network. Doing this is impossible unless you use the 'established' command.
Now that we are familiar with the 'established' command, ACL 102 simply states to permit
established traffic from anywhere to all computers within our 63.36.9.0 network.
You may ask why access-list 102 does not read:
access-list 102 permit tcp any any established
In this situation this works just as good, but because it is not as specific, it is considered a hole
or an area of vulnerability (especially if you ever got another block of IP addresses).
Activating an Access Control List
Now that you have created these ACLs they are useless until you declare them to be used in
some way. As of right now they are an inactive list doing nothing. Our next article will cover
applying ACLs on interfaces and how to specify if the ACL is for incoming or outgoing traffic on
that interface.
Applying Cisco Access Control Lists (ACLs)
By J oshua Erdman
Digital Foundation
Recall in the previous article how ACLs are made and when to use a standard ACL vs. an
extended one.
Reusing our example:
Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
We will apply our ACLs to the serial (T1) interface to protect our network and to limit our user's
Internet access to just web browsing.
Before we do that, we need to add one more entry to access-list 101 to allow HTTPS for web
browsing. If you have a clue about TCP/IP you know that web browsing (HTTP) is done on port
80 and that web browsing securely (HTTPS) is done on port 443. So we also need to open port
443 if any user is to be able to let's say place an online order or check their bank account.
Typically, the web page where you enter your personal information should be secure and thus
requires the use of HTTPS.
The line we add is very similar to the line that is already in access list 101. You probably
already have it figured out by now:
access-list 101 tcp permit 63.36.9.0 0.0.0.255 any eq 443
Now that our ACLs are complete, here is how we apply them to an interface.
In or Out
We first must decide the traffic that we are filtering is going in or out. Our users trying to access
websites on the Internet is a good example of traffic going OUT from our business. Receiving
e-mails from the Internet is a good example of traffic coming IN to our business. But depending
on the interface you want to apply the ACLs to, will determine the direction of the traffic.
Take for example a router with 2 interfaces. It has a serial port, ser0/0, (AKA T-1 connection)
and an ethernet port, eth0/0. The Internet traffic coming IN to our office is going IN the ser0/0
interface, but is also going OUT the eth0/0 interface to reach the office network. See how that
works?
Now you have all kinds of options as to where you put your restrictions on your serial ports or
your ethernet ports and this is just with a simple example!
For now we will activate the access lists on the serial port so the point of views (POV) are the
same. Traffic coming IN the office is also going IN the serial port and traffic going OUT of the
office is going OUT that same serial port.
Applying Access Lists
Finally the instructions you all have been waiting for! Make sure you are in enabled mode.
Then use the command below:
conf t
int ser0/0
access-group 101 out
access-group 102 in
See how you must be in configuration mode of the interface to apply an access-list?
Remember that you can only apply ONE ACL in each direction of an interface.
Our next article is on methods for Editing ACLs. This is very handy when you are dealing with
several ACLs at once.
References:
Read up on editing ACLs for more information on adding new lines, more advanced entries for
extended ACLs and removing ACLs from router memory.
Editing Cisco Access Control Lists (ACLs)
By J oshua Erdman
Digital Foundation
Before you try to read up on this article, be sure you are familiar with the terms and ideas
Recall on ACL basics. It covers how ACLs are made and when to use a standard ACL vs. an
extended one.
Reusing our example:
Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
We will apply our ACLs to the serial (T1) interface to protect our network and to limit our user's
Internet access to just web browsing.
Editing and adding ACLs
If you need to add more permissions, you must add to the ACL you have already created. Any
lines you add will be appended to at the bottom of the list.
How I keep track of all the ACLs I use is by keeping each one in a separate text file. I then
make changes to the text file then I delete the whole access-list from the router's memory
(running-config) and then copy and paste the new list each time I make updates.
Clue: There is no way to remove a single line from an ACL. Instead it is better to copy the
whole ACL into a text editor and remove the offending line. Then remove the whole ACL from
the router's memory (see below) and then add the modified ACL.
Removing ACLs
To remove an ACL from the router, be sure you are in enabled mode. Then use the command:
no access-list <list number>
That is all there is to it.
Clue: When you delete an access-list that is currently being applied to an interface, all traffic
that is to be filtered through the specified access list will be allowed until the access list is
reinstated or a new access-list is specified in the access-group command.
Our next article is on Advanced ACLs including Port Ranges and methods for grouping IP
addresses together.
Advanced Cisco Access Control Lists (ACLs)
By J oshua Erdman
Digital Foundation
Before you try to read up on this article, be sure you are familiar with the terms and ideas.
Recall the ACL basics. It covers how ACLs are made and when to use a standard ACL vs. an
extended one.
Reusing our example:
Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
We will create an ACL that allows the users in our office to access the internet using a range of
common ports. As you can see in the example above, we have been just specifying individual
ports.
Port Ranges
In the example you see the letters 'eq' before the port is declared. This is short for 'equal to'.
Other ones include:
gt - Greater Than followed by the port number.
lt - Less Than followed by the port number
range - To specify an inclusive port range
after the keyword range put in the first port in the range followed by a space and then
the last port in the range.
Commenting
As your access lists grow and become more complex it is a great idea to add comments.
Adding a comment is as simple as beginning the comment line with an exclamation point.
Filter Masks
First be sure that you brush up on your binary and read our article on TCP/IP Addressing and
Calculating Subnet Masks. You must first have a good grasp of the use of binary to calculate
subnet masks.
Using filter masks allow you to group IP Addresses together instead of having to specify each
IP address individually. So for example, if you were to have five servers and all their addresses
were 10.10.10.1 - 10.10.10.5 it is easy to grant or deny access to all 5 with only one line in the
access list. If you have the addresses scattered you either have to make 5 separate entries or
change the IPs of the servers.
The way you specify a group of IP addresses is very similar to how a subnet mask is used,
except that the 1s and 0s are inversed. For example, all the web servers on our sample
network fall in the subnet of 10.10.10.1 - 10.10.10.15 (if this was a subnet mask it would be:
255.255.255.240). We would never assign the servers this subnet mask because we want the
workstations (using addresses 10.10.10.65-10.10.10.254) to talk directly to the servers. This
prevents our router from being taxed. But now that we know the equivalent subnet mask for
this ip block of servers, we can easily create the access-list filter mask, which is 0.0.0.15 As I
mentioned earlier the filter mask is the opposite of the subnet mask. Here is how it looks in
binary:
128 64 32 16|8 4 2 1
SM 1 1 1 1|0 0 0 0 = 240
FM 0 0 0 0|1 1 1 1 = 15
Clue: If you put the servers and workstations on 2 different network blocks the router will have
an insane amount of traffic to route. Definitely not a good idea.
With filter masks you can almost easily guess the correct value as long as the numbers in the
filter mask are a power of 2 minus 1. IFor example, I know that my web servers aregrouped in
the first 15 IP addresses. The smallest power of two that 15 can fit into is 16. Then subtract 1
and my filter mask is 0.0.0.15
Filter Masks in Access Lists
So if I wanted to permit all incoming web traffic requests to my web servers (To prevent any
Internet access to Rogue web servers on employee's workstations). I would enter this line in
the access list:
!Permit HTTP port 80 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 80

!Permit HTTPS port 443 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 443
Many, Many ACLs
When I last worked for an ISP we had several connections terminating into one router. To
make things as secure as possible I made 2 access lists for each interface. One for incomming
traffic and one for outgoing. Keeping track of all this quickly became a nightmare. What I did to
help was to have a notepad text file for each access list. At the top of each access list was the
function of each access list, a description of the lastest modifications, modification date and
who made the modification.