Customer Service and Booking Hotline: +44 (0) 845 672 0175

Search

Cisco IP Access Lists

A common implementation of firewall rules in both stateless and stateful models is the use of Access control Lists (ACLs) on Cisco routers. In this article some examples of the Cisco implementation of stateless and stateful firewall rules are examined...


Overview of Access List Configuration

Although each protocol has its own set of specific tasks and rules required to implement traffic filtering, in general most protocols require at least two basic steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface.

Cisco routers group access lists by protocol, allowing certain ranges to operate on certain protocols. In the case of a pure IP network, access-lists in the range 1 99 and 100 199 are relevant.

Creating and editing ACLs

In the Cisco implementation, each additional criteria statement added to the configuration is appended to the end of the access list statements. Also note that it is not possible to delete individual statements after they have been created, instead the entire ACL must be deleted.

The order of access list statements is important. When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked. So for example if a statement in the ACL explicitly permits all traffic, no statements added later will ever be checked.

Because the order of access list criteria statements is important, and because you cannot reorder or delete criteria statements once they have been entered on the router, it is recommended that all access list statements are created on a TFTP server and then downloaded as a complete list to the router. It is also possible to create the list in a simple text editor and cut and paste to the router via a telnet or console session.

To make changes to an access list, they should be made to the ACL text file on the TFTP server, and then copied to the router once all changes have been made. The first command of an edited access list file should delete the previous access list by including a no access-list command at the beginning of the file. If the previous version of the access list is not deleted, then changes will simply be appended to the existing list.

Up to two Cisco ACLs can be applied to each interface on a router: one inbound access list and one outbound access list.

If the access list is inbound, then when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

If the access list is outbound, then after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

Standard IP Access Lists


Cisco routers implement both standard and extended IP access lists. A standard access control list only allows a statement to permit or deny traffic from specific IP addresses. The destination of the packet and the ports involved do not affect processing.

The example opposite permits traffic from the class C network 192.168.10.0, and implicitly denies traffic from any other IP address.

access-list 10 permit 192.168.3.0 0.0.0.255

Extended IP Access Lists


Cisco Extended ACLs allow traffic to be permitted or denied from specific IP addresses and/or ports to specific destination IP addresses and/or port. They also allow the specification of different types of traffic such as ICMP, TCP, UDP, etc. Whereas standard ACLs can be used for simple blocking of address ranges, for more advanced applications extended ACLs are required

In the example below, users on a corporate network should be able to connect to web servers on the Internet, but users on the public Internet should not be able to connect to machines on the corporate network. This requires 2 ACLs, one to limit outbound traffic to http (port 80), so blocking email and other applications, and one on inbound traffic to allow only traffic from the Internet that has been initiated from a machine on the inside. This is called an established connection, and is based upon holding tcp state for this connection in the firewall.

access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 80

access-list 102 permit tcp any 192.168.1.0 0.0.0.255 established

Activating ACLs on Router Interfaces

ACLs are applied to the interfaces of a router. In the example just shown, it would be appropriate to apply ACL101 and ACL102 to the serial interfaces of the customer premises routers, as shown in the previous diagram.

ip access-group 101 out

ip access-group 102 in

Bookmark this article

Share this article using the following sites:

Courses by category...

Glossary Search

Newsletter Sign-up

Our RSS Feeds...