Cisco ACLs (Access Control List's) are divided into types.

•    Standard IP
•    Extended IP
•    IPX
•    Appletalk

 and etc. Here we will just go over the standard and extended access lists for TCP/IP.

As you create ACLs you assign a number to each list, however, each type of list is limited to an assigned range of numbers. This makes it very easy to determine what type of ACL you will be working with.

TCP/IP Access Lists
You can have up to 99 Standard IP Access Lists ranging in number from 1 to 99, the Extended IP Access Lists number range is assigned from 100 to 199. The most common use of the Extended IP access list to is create a packet filtering firewall. This is where you specify the allowed destinations of each packet from an allowed source.

Standard IP Access Lists
A Standard Access List only allows you to permit or deny traffic from specific IP addresses. The destination of the packet and the ports involved do not matter.

Here is an example:

access-list 10 permit 192.168.3.0 0.0.0.255

This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255

You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use inverse subnet masks. Also realize that by default, there is an implicit deny added to every access list. If you entered the command:

show access-list 10

The output would be:

access-list 10 permit 192.168.3.0 0.0.0.255
access-list 10 deny any

Extended IP Access Lists

Extended ACL’s allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very granular and allows you to be very specific. If you intend to create a packet filtering firewall to protect your network it is an Extended ACL that you will need to create.

Typically you would allow outgoing traffic and incoming initiated traffic. In other words, you want your users to be able to connect to web servers on the internet for browsing but you do not want anyone on the Internet to be able to connect to your machines. This will require 2 ACL’s. One ACL to only limit our users on the company network to only use a web browser (so this will block outgoing FTP, e-mail, Kazaa, Napster, online gaming, etc.) The other access-list will only allow incoming traffic from the Internet that has been initiated from a machine on the inside. This is called an established connection. Let's see what our access list would look like for starters:

Assumptions: internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80
ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

ACL 101

As you can see, ACL 101 says to permit traffic originating from any address on the 63.36.9.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80 (which is the web port for HTTP). This is still only half of the solution. If you only use this access list you have totally accomplished limiting your users from doing nothing more on the internet than just be able to browse from website to website. However, you have taken no action on the incoming trafic. The Internet still has full access to all the IPs and all the ports. This leaves you vulnerable.

ACL 102

Since you only want your users to be able to browse the Internet, you must block all incoming traffic accept for the established connections in which the websites are replying to a computer on your network. Doing this is impossible unless you use the 'established' command.

Now that we are familiar with the 'established' command, ACL 102 simply states to permit established traffic from anywhere to all computers within our 63.36.9.0 network.

You may ask why access-list 102 does not read:
access-list 102 permit tcp any any established
In this situation this works just as good, but because it is not as specific, it is considered a hole or an area of vulnerability (especially if you ever got another block of IP addresses).

Applying Access Control Lists

Assumptions:
Internal Network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101

access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102

access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

We will apply our ACL’s to the serial (T1) interface to protect our network and to limit our user's Internet access to just web browsing.

Before we do that, we need to add one more entry to access-list 101 to allow HTTPS for web browsing. If you have a clue about TCP/IP you know that web browsing (HTTP) is done on port 80 and that web browsing securely (HTTPS) is done on port 443. So we also need to open port 443 if any user is to be able to let's say place an online order or check their bank account. Typically, the web page where you enter your personal information should be secure and thus requires the use of HTTPS.

The line we add is very similar to the line that is already in access list 101. You probably already have it figured out by now:

access-list 101 tcp permit 63.36.9.0 0.0.0.255 any eq 443

Now that our ACL’s are complete, here is how we apply them to an interface.

In or Out

We first must decide the traffic that we are filtering is going in or out. Our users trying to access websites on the Internet is a good example of traffic going OUT from our business. Receiving e-mails from the Internet is a good example of traffic coming IN to our business. But depending on the interface you want to apply the ACLs to, will determine the direction of the traffic.

Take for example a router with 2 interfaces. It has a serial port, ser0/0, (AKA T-1 connection) and an ethernet port, eth0/0. The Internet traffic coming IN to our office is going IN the ser0/0 interface, but is also going OUT the eth0/0 interface to reach the office network. See how that works?

Now you have all kinds of options as to where you put your restrictions on your serial ports or your ethernet ports and this is just with a simple example!

For now we will activate the access lists on the serial port so the point of views (POV) are the same. Traffic coming IN the office is also going IN the serial port and traffic going OUT of the office is going OUT that same serial port.

Applying Access Lists

Finally the instructions you all have been waiting for! Make sure you are in enabled mode. Then use the command below:

conf t
int ser0/0
access-group 101 out
access-group 102 in

See how you must be in configuration mode of the interface to apply an access-list? Remember that you can only apply ONE ACL in each direction of an interface.

Editing Access Control Lists

Assumptions: internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101 access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102 access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

We will apply our ACL’s to the serial (T1) interface to protect our network and to limit our user's Internet access to just web browsing.

Editing and adding ACL’s

If you need to add more permission’s, you must add to the ACL you have already created. Any lines you add will be appended to at the bottom of the list.

How I keep track of all the ACL’s I use is by keeping each one in a separate text file. I then make changes to the text file then I delete the whole access-list from the router's memory (running-config) and then copy and paste the new list each time I make updates.

Tip - There is no way to remove a single line from an ACL. Instead it is better to copy the whole ACL into a text editor and remove the offending line. Then remove the whole ACL from the router's memory (see below) and then add the modified ACL.

Removing ACLs

To remove an ACL from the router, be sure you are in enabled mode. Then use the command:

no access-list < list number >

Advanced Access Control Lists

Assumptions:

internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101 access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102 access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

We will create an ACL that allows the users in our office to access the internet using a range of common ports. As you can see in the example above, we have been just specifying individual ports.

Port Ranges

In the example you see the letters 'eq' before the port is declared. This is short for 'equal to'. Other ones include:

• gt - Greater Than followed by the port number.

• lt - Less Than followed by the port number

• range - To specify an inclusive port range

After the keyword range, put in the first port in the range followed by a space and then the last port in the range.

Commenting
As your access lists grow and become more complex it is a great idea to add comments. Adding a comment is as simple as beginning the comment line with an exclamation point.

Filter Masks

Using filter masks allow you to group IP Addresses together instead of having to specify each IP address individually. So for example, if you were to have five servers and all their addresses were 10.10.10.1 - 10.10.10.5 it is easy to grant or deny access to all 5 with only one line in the access list. If you have the addresses scattered you either have to make 5 separate entries or change the IP’s of the servers.

The way you specify a group of IP addresses is very similar to how a subnet mask is used, except that the 1s and 0s are inversed. For example, all the web servers on our sample network fall in the subnet of 10.10.10.1 - 10.10.10.15 (if this was a subnet mask it would be: 255.255.255.240). We would never assign the servers this subnet mask because we want the workstations (using addresses 10.10.10.65-10.10.10.254) to talk directly to the servers. This prevents our router from being taxed. But now that we know the equivalent subnet mask for this ip block of servers, we can easily create the access-list filter mask, which is 0.0.0.15 As I mentioned earlier the filter mask is the opposite of the subnet mask. Here is how it looks in binary:

With filter masks you can almost easily guess the correct value as long as the numbers in the filter mask are a power of 2 minus 1. I for example, I know that my web servers are grouped in the first 15 IP addresses. The smallest power of two that 15 can fit into is 16. Then subtract 1 and my filter mask is 0.0.0.15

      128   64    32  16  |  8  4  2  1
SM     1    1     1   1      |  0  0  0  0 = 240
FM     0    0     0   0      |  1  1  1  1 = 15

Filter Masks in Access List

So if I wanted to permit all incoming web traffic requests to my web servers (To prevent any Internet access to Rogue web servers on employee's workstations). I would enter this line in the access list:

!Permit HTTP port 80 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 80

!Permit HTTPS port 443 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 443

Credit: User submission