Configure Extended IPv4 ACLs

5.4.1

Extended ACLs

In the previous topics, you learned about how to configure and modify standard ACLs, and how to secure VTY ports with a standard IPv4 ACL. Standard ACLs only filter on source address. When more precise traffic-filtering control is required, extended IPv4 ACLs can be created.

Extended ACLs are used more often than standard ACLs because they provide a greater degree of control. They can filter on source address, destination address, protocol (i.e., IP, TCP, UDP, ICMP), and port number. This provides a greater range of criteria on which to base the ACL. For example, one extended ACL can allow email traffic from a network to a specific destination while denying file transfers and web browsing.

Like standard ACLs, extended ACLs can be created as:

  • Numbered Extended ACL – Created using the access-list access-list-number global configuration command.
  • Named Extended ACL – Created using the ip access-list extended access-list-name.
5.4.2

Numbered Extended IPv4 ACL Syntax

The procedural steps for configuring extended ACLs are the same as for standard ACLs. The extended ACL is first configured, and then it is activated on an interface. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs.

To create a numbered extended ACL, use the following global configuration command:

Router(config)# access-list access-list-number {deny | permit | remark text} protocol source source-wildcard [operator {port}] destination destination-wildcard [operator {port}] [established] [log]

Use the no access-list access-list-number global configuration command to remove an extended ACL.

Although there are many keywords and parameters for extended ACLs, it is not necessary to use all of them when configuring an extended ACL. The table provides a detailed explanation of the syntax for an extended ACL.

ParameterDescriptionaccess-list-numberDecimal number of the ACL. Extended ACL number range is 100 to 199 and 2000 to 2699.denyDenies access if the condition is matched.permitPermits access if the condition is matched.remark text(Optional) Adds a text entry for documentation purposes.Each remark is limited to 100 characters.protocolName or number of an internet protocol. Common keywords include ip, tcp, udp, and icmp. The ip keyword matches all IP protocols.sourceIdentifies the source network or host address to filter.Use the any keyword to specify all networks.Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address. source-wildcard(Optional) A 32-bit wildcard mask that is applied to the source. destinationIdentifies the destination network or host address to filter.Use the any keyword to specify all networks.Use the host ip-address keyword or ip-address. destination-wildcard(Optional) A 32-bit wildcard mask that is applied to the destination. operator(Optional) Compares source or destination ports. Possible operands include It (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).port(Optional) The decimal number or name of a TCP or UDP port.established(Optional) For the TCP protocol only.This is a 1st generation firewall feature.log(Optional) Keyword generates and sends an informational message whenever the ACE is matched.Message includes ACL number, matched condition (i.e., permitted or denied), source address, and number of packets. Message is generated for the first matched packet.Keyword should only be implemented for troubleshooting or security reasons.
Parameter Description
access-list-number
  • This is the decimal number of the ACL.
  • Extended ACL number range is 100 to 199 and 2000 to 2699.
deny
This denies access if the condition is matched.
permit
This permits access if the condition is matched.
remark text
  • (Optional) Adds a text entry for documentation purposes.
  • Each remark is limited to 100 characters.
protocol
  • Name or number of an internet protocol.
  • Common keywords include iptcpudp, and icmp.
  • The ip keyword matches all IP protocols.
source
  • This identifies the source network or host address to filter.
  • Use the any keyword to specify all networks.
  • Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address.
source-wildcard
(Optional) A 32-bit wildcard mask that is applied to the source.
destination
  • This identifies the destination network or host address to filter.
  • Use the any keyword to specify all networks.
  • Use the host ip-address keyword or ip-address.
destination-wildcard
(Optional) This is a 32-bit wildcard mask that is applied to the destination.
operator
  • (Optional) This compares source or destination ports.
  • Some operators include lt (less than), gt (greater than), eq (equal), and neq (not equal).
port
(Optional) The decimal number or name of a TCP or UDP port.
established
  • (Optional) For the TCP protocol only.
  • This is a 1st generation firewall feature.
log
  • (Optional) This keyword generates and sends an informational message whenever the ACE is matched.
  • This message includes ACL number, matched condition (i.e., permitted or denied), source address, and number of packets.
  • This message is generated for the first matched packet.
  • This keyword should only be implemented for troubleshooting or security reasons.

The command to apply an extended IPv4 ACL to an interface is the same as the command used for standard IPv4 ACLs.

Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}

To remove an ACL from an interface, first enter the no ip access-group interface configuration command. To remove the ACL from the router, use the no access-list global configuration command.

Note: The internal logic applied to the ordering of standard ACL statements does not apply to extended ACLs. The order in which the statements are entered during configuration is the order they are displayed and processed.

5.4.3

Protocols and Ports

Protocol Options

The four highlighted protocols are the most popular options.

Note: Use the ? to get help when entering a complex ACE.

Note: If an internet protocol is not listed, then the IP protocol number could be specified. For instance, the ICMP protocol number 1, TCP is 6, and UDP is 17.

R1(config)# access-list 100 permit ? 
  <0-255>       An IP protocol number
  ahp           Authentication Header Protocol
  dvmrp         dvmrp
  eigrp         Cisco's EIGRP routing protocol
  esp           Encapsulation Security Payload
  gre           Cisco's GRE tunneling
  icmp          Internet Control Message Protocol
  igmp          Internet Gateway Message Protocol
  ip            Any Internet Protocol
  ipinip        IP in IP tunneling
  nos           KA9Q NOS compatible IP over IP tunneling
  object-group  Service object group
  ospf          OSPF routing protocol
  pcp           Payload Compression Protocol
  pim           Protocol Independent Multicast
  tcp           Transmission Control Protocol
  udp           User Datagram Protocol
R1(config)# access-list 100 permit

Port Keyword Options

Selecting a protocol influences port options. For instance, selecting the:

  • tcp protocol would provide TCP related ports options
  • udp protocol would provide UDP specific ports options
  • icmp protocol would provide ICMP related ports (i.e., message) options

Again, notice how many TCP port options are available. The highlighted ports are popular options.

Port names or number can be specified. However, port names make it easier to understand the purpose of an ACE. Notice how some common ports names (e.g., SSH and HTTPS) are not listed. For these protocols, port numbers will have to be specified.

R1(config)# access-list 100 permit tcp any any eq ? 
  <0-65535>    Port number
  bgp          Border Gateway Protocol (179)
  chargen      Character generator (19)
  cmd          Remote commands (rcmd, 514)
  daytime      Daytime (13)
  discard      Discard (9)
  domain       Domain Name Service (53) 
  echo         Echo (7)
  exec         Exec (rsh, 512)
  finger       Finger (79)
  ftp          File Transfer Protocol (21) 
  ftp-data     FTP data connections (20) 
  gopher       Gopher (70)
  hostname     NIC hostname server (101)
  ident        Ident Protocol (113)
  irc          Internet Relay Chat (194)
  klogin       Kerberos login (543)
  kshell       Kerberos shell (544)
  login        Login (rlogin, 513)
  lpd          Printer service (515)
  msrpc        MS Remote Procedure Call (135)
  nntp         Network News Transport Protocol (119)
  onep-plain   Onep Cleartext (15001)
  onep-tls     Onep TLS (15002)
  pim-auto-rp  PIM Auto-RP (496)
  pop2         Post Office Protocol v2 (109)
  pop3         Post Office Protocol v3 (110) 
  smtp         Simple Mail Transport Protocol (25) 
  sunrpc       Sun Remote Procedure Call (111)
  syslog       Syslog (514)
  tacacs       TAC Access Control System (49)
  talk         Talk (517)
  telnet       Telnet (23) 
  time         Time (37)
  uucp         Unix-to-Unix Copy Program (540)
  whois        Nicname (43)
  www          World Wide Web (HTTP, 80) 
5.4.4

Protocols and Port Numbers Configuration Examples

Extended ACLs can filter on different port number and port name options. This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses the www port name. The second ACE uses the port number 80. Both ACEs achieve exactly the same result.

R1(config)# access-list 100 permit tcp any any eq www
R1(config)#  !or...
R1(config)# access-list 100 permit tcp any any eq 80

Configuring the port number is required when there is not a specific protocol name listed such as SSH (port number 22) or an HTTPS (port number 443), as shown in the next example.

R1(config)# access-list 100 permit tcp any any eq 22

R1(config)# access-list 100 permit tcp any any eq 443
R1(config)#
5.4.5

Apply a Numbered Extended IPv4 ACL

The topology in the figure will be used to demonstrate configuring and applying numbered and named extended IPv4 ACLs to an interface. This first example shows a numbered extended IPv4 ACL implementation.



In this example, the ACL permits both HTTP and HTTPS traffic from the 192.168.10.0 network to go to any destination.

Extended ACLs can be applied in various locations. However, they are commonly applied close to the source. Therefore, ACL 110 was applied inbound on the R1 G0/0/0 interface.

R1(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq www
R1(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config)# interface g0/0/0
R1(config-if)# ip access-group 110 in
R1(config-if)# exit
R1(config)#
5.4.6

TCP Established Extended ACL

TCP can also perform basic stateful firewall services using the TCP established keyword. The keyword enables inside traffic to exit the inside private network and permits the returning reply traffic to enter the inside private network, as shown in the figure.

The diagram shows router R 1 with 2 network interfaces: G0/0/0 connecting to the inside private network and G0/0/1 connecting to the outside public network. T C P traffic from the inside to the outside is permitted and also permitted to return, but T C P traffic initiated from the outside is denied

 

Module Practice and Quiz