Module 1

Access Control List

Content
Describe TCP and its function

Describe TCP synchronization and flow control

Identify port numbers
Describe the differences between standard and extended ACLs

Explain the rules for placement of ACLs

Create and apply named ACLs
Describe the function of firewalls
Use ACLs to restrict virtual terminal access

Using ACLs to Secure Networks

A TCP Conversation

ACLs enable you to control traffic into and out of your network. This control can
be as simple as permitting or denying network hosts or addresses. However,
ACLs can also be configured to control network traffic based on the TCP/UDP
ports being used.

A TCP Conversation

Registered TCP Ports:

1863 MSN Messenger
8008 Alternate HTTP
8080 Alternate HTTP
Well Known TCP Ports:
20,21 FTP
23 Telnet
25 SMTP
80 HTTP
110 POP3
194 Internet Relay Chat (IRC)
443 HTTPS

Registered UDP Ports:

1812 RADIUS Authentication Protocol
2000 Cisco SCCP (VoIP)
5004 RTP (Voice and Video Transport Protocol)
5060 SIP (VoIP)
Well Known UDP Ports:
69 - TFTP
520 - RIP
Registered TCP/UDP Common Ports:
1433 MS SQL
2948 WAP (MMS)
Well Known TCP/UDP Common Ports:
53 - DNS
161 SNMP
531 AOL Instant Messenger, IRC

Packet Filtering

NO

YES

Test based on:

Source IP address
Destination IP address
ICMP message type
TCP/UDP source port
TCP/UDP destination port

A router acts as a packet filter when it forwards or denies packets according to

filtering rules.
When a packet arrives at the packet-filtering router, the router extracts certain
information from the packet header and makes decisions according to the filter
rules as to whether the packet can pass through or be discarded.
Packet filtering works at the network layer of the Open Systems Interconnection
(OSI) model, or the Internet layer of TCP/IP

Packet Filtering

For this scenario, the packet filter looks at each packet as follows:
If the packet is a TCP SYN from network A using port 80, it is allowed
to pass. All other access is denied to those users.
If the packet is a TCP SYN from network B using port 80, it is blocked.
However, all other access is permitted

What are ACLs? (1)

ACLs are lists of instructions you apply to a router's interface.

These lists tell the router
what kinds of packets to accept
what kinds of packets to deny
8

What are ACLs? (2)

How ACLs work

An ACL is a group of statements that

define whether packets are accepted or
rejected coming into an interface or
leaving an interface.
ACL statements operate in sequential,
logical order.

If a condition match is true, the packet is

permitted or denied and the rest of the
ACL statements are not checked.
If all the ACL statements are unmatched,
an implicit "deny any" statement is placed
at the end of the list by default. (not
visible)
When first learning how to create ACLs, it
is a good idea to add the implicit deny at
the end of ACLs to reinforce the dynamic
presence of the command line..

10

ACL Operation
Inbound ACLs

Incoming packets are processed

before they are routed to the
outbound interface
An inbound ACL is efficient
because it saves the overhead of
routing lookups if the packet is
discarded
If the packet is permitted by the
tests, it is then processed for
routing

11

ACL Operation
Outbound ACLs

Incoming packets are routed to the outbound interface, and

then they are processed through the outbound ACL.
12

ACL Operation
Routing and ACL Processes in a Router

13

Types of Cisco ACLs

14

Numbering and Naming ACLs

Numbered ACL: You assign a number based on which protocol you
want filtered:
(1 to 99) and (1300 to 1999): Standard IP ACL
(100 to 199) and (2000 to 2699): Extended IP ACL
Named ACL: You assign a name by providing the name of the ACL:
Names can contain alphanumeric characters.
It is suggested that the name be written in CAPITAL LETTERS.
Names cannot contain spaces or punctuation and must begin with a
letter.
You can add or delete entries within the ACL.
Starting with Cisco IOS Release 11.2, you can use a name to identify
a Cisco ACL

15

Creating ACLs
Step 1: Create an ACL defination

Step 2: Apply ACL to an interface

16

Create ACLs number details

From the global configuration mode.
Specifying an ACL number.
Must carefully select and logically order the ACL.
Permitted IP protocols must be specified; all other protocols should
be denied.
Should select which protocols to check; any other protocols are not
checked.

Apply an ACL to an interface

17

Specifying an ACL number

Assigning ACL number

ACL number must be within the specific range specified for the
protocol.
Modification of a numbered ACL involves deleting the entire list
and creating a new one
Remove numbered ACL:
Router(config)#no access-list list-number

18

ACL configuration task: Step 1

19

ACL configuration task: Step 2

20

Wildcard mask bits

A wildcard mask is a 32-bit quantity that is divided into four octets, with
each octet containing 8 bits.

A wildcard mask bit 0 means "check the corresponding bit value.

A wildcard mask bit 1 means "do not check (ignore) that corresponding
bit value".
21

Wildcard mask bits

22

Wildcard mask bits

0 = check, we want this to match
1 = dont check, this can be any value, does not need to match

172.30.16.0
10101100 . 00011110 . 00010000 . 00000000
0.0.15.255
00000000 . 00000000 . 00001111 . 11111111
----------------------------------------172.30.16.0
10101100 . 00011110 . 00010000 . 00000000
172.30.16.1
10101100 . 00011110 . 00010000 . 00000001

172.30.17.0
10101100 . 00011110 . 00010001 . 00000000

172.30.30.255 10101100 . 00011110 . 00011110 . 00000000

... (through)
172.30.31.255 10101100 . 00011110 . 00011111 . 11111110
172.30.31.255 10101100 . 00011110 . 00011111 . 11111111

The
packet(s)

Test Conditon

Matching packets will look like this.

23

Wildcard & Subnet mask

Wildcard mask operate differently from IP subnet
mask.
Subnet mask: The zeros and ones determine the
network (or subnet) and host portions of the
corresponding IP address.
Wildcard mask: The zeros and ones determine
whether the corresponding bits in an IP address
should be checked or ignored for ACL purposes.

24

There is a relationship! Bitwise-not on the Subnet Mask

172.16.32.0 255.255.240.0
RouterB(config)#access-list 10 permit 172.16.32.0 0.0.15.255

Subnet Mask:
255 . 255 . 240 . 0
Wildcard Mask: + 0 . 0 . 15 . 255
---------------------255 . 255 . 255 . 255
So, we could calculate the Wildcard Mask by:
255 . 255 . 255 . 255
Subnet Mask: - 255 . 255 . 240 . 0
--------------------Wildcard Mask:
0 . 0 . 15 . 255

25

Practice
RouterB(config)#access-list 10 permit ________ _________
Permit the following networks:
Network/Subnet Mask

A.
B.
C.
D.
E.

Address/Wildcard Mask

172.16.0.0 255.255.0.0
172.16.1.0 255.255.255.0
192.168.1.0 255.255.255.0
172.16.16.0 255.255.240.0 (hmmm . . .?)
172.16.128.0 255.255.192.0 (hmmm . . .?)

Permit the following hosts:

Network/Subnet Mask

Address/Wildcard Mask

A. 172.16.10.100
B. 192.168.1.100
C. All hosts

26

Wildcard mask bits

Wildcard any

Wildcard host

27

the any and host options

28

Standard ACLs

Overview
When you want to:
block all traffic from a network,
allow all traffic from a network,

permit or deny an entire protocol suite.

Standard ACLs only check the source address of

packets that could be routed.
Results in either permit or deny of an entire protocol
suite, based on the network, subnet, and host
addresses.

30

Standard ACLs

31

Standard ACL commands

Router(config)#access-list access-list-number
{deny | permit} source [source-wildcard ] [log]
Router(config)#no access-list access-list-number
Router(config-if)#ip access-group access-listnumber { in | out }
Access list number: (1 to 99) and (1300 to 1999):
Verify:
Router# show access-lists

32

Standard ACL statements

33

Standard ACL Examples

Requirement

Do not allow traffic from outside to access network 172.16.3.0

Node 172.16.4.13 can only access Internet

Network 172.16.4.0 (accept 172.16.4.13) can not access Internet
34

Extended ACLs

Overview
Provide a greater range of control than standard ACLs.
Check for both source and destination packet addresses.
They can also check for specific protocols, port numbers,
and other parameters.

36

Extended ACL

37

Extended ACL commands

Router (config)#access-list access-list-number
{permit | deny} protocol source source-widcard
destination destination-wildcard [operator port]
[established]
Router(config)#no access-list access-list-number
Router(config-if)# ip access-group access-listnumber { in | out }
Access list number: (100 to 199) and (2000 to 2699)
Commands:
Router# show access-lists

38

Extended Access Lists

39

Extended ACL statements

40

Extended ACL: TCP/UDP protocol

Create ACL

Router (config)# access-list access-list-number {permit | deny}

[tcp/udp] source [source-mask destination destination-mask
operator port] [established]

Appy ACL

Router(config-if)# ip access-group access-list-number {in | out}

41

Reserved port numbers

42

Extended ACL: ICMP protocol

Router(config)# access-list access-list-number {permit | deny} icmp source

source-wildcard destination destination-wildcard [icmp-type | [icmp-code] |
[icmp-message] [established]

Router(config-if)# ip access-group access-list-number {in | out}

43

Extended ACL examples

1. Prevents telnet and ftp access from Internet to 172.16.3.100 and 172.16.4.13

2. Prevents all hosts but 172.16.4.13 on network 172.16.4.0 to access

cisco.netacad.net
3. Prevents all hosts on network 172.16.4.0 to access www.astalavista.com web
site. All other hosts on the network go anywhere.
4. Prevents all hosts, except 172.16.3.100, on network 172.16.3.0 to access
172.16.4.13 using telnet and ftp
5. Allow all hosts on local network as well as Internet to access companys web site on
server 172.16.4.13. Block all other types of access to this server.
44

Restricting telnet access with ACL

Restricting virtual terminal access

The purpose of restricted vty access is increased network security.

Access to vty is also accomplished using the Telnet protocol to make
a nonphysical connection to the router.
As a result, there is only one type of vty access list. Identical
restrictions should be placed on all vty lines as it is not possible to
control which line a user will connect on.

46

Restricting virtual terminal access

Standard and extended access lists apply to packets traveling

through a router.
ACLs do not block packets that originate within the router.
An outbound Telnet extended access list does not prevent router
initiated Telnet sessions, by default.
47

Named ACLs

Overview
Uses a name string to identify standard and extended
IP ACLs instead of the numeric (1 to 199)
representation.
Named ACLs can be used to remove individual
entries from a specific ACL.
Considerations:
Named ACLs are not compatible with Cisco IOS releases
prior to Release 11.2.
You cannot use the same name for multiple ACLs. In
addition, ACLs of different types cannot have the same
name.

49

Extended ACL commands

Create ACLs
Router(config)# ip access-list {standard | extended} name
Router(config {std- | ext-}nacl)# deny {source [sourcewildcard] | any}
Router(config {std- | ext-}nacl)# permit {source [sourcewildcard] | any}

Apply ACLs
Router(config-if)# ip access-group name {in | out}
Router# show access-lists

50

Name ACLs example

51

ADVANCED ACLs
Switch-Port ACLs
Time-based ACLs
Remarks ACLs

Switch Port ACLs

Overview
It means: MAC ACLs
Switch Port ACLs can only apply to layer 2 interfaces
on switches, inbound direction and only use with
named ACLs
Sw1#conf t
Sw1(config)#mac access-list extended yournameACL
Sw1(config-ext-macl)#deny|permit source destination
source/dest: any|host|H.H.H

Sw1(config)#int f0/5
Sw1(config-if)#mac access-group yournameACL in

54

Time-based ACLs

Overview
Time-based ACLs work like extended ACLs do, but their type
of access control is totally time oriented.
The time period is based upon the routers clock
Router#conf t
Router(config)#time range no-chat
Router(config-time-range)#period weekdays start to end
Router(config-time-range)#exit
Router(config)#ip access-list extended Chat-time
Router(config-ext-nacl)#deny tcp any any eq chat time-range no-chat
Router(config-ext-nacl)# int fa0/0
Router(config-if)#ip access-group Chat-time in
Router(config-if)#exit
56

Remarks ACLs

Remarks
Allow including comments, or rather remarks, regarding the
entries in both IP standard and extended ACLs, or named
ACLs.
R2#config t

R2(config)#access-list 110 remark Permit Bob from Sales Only To Finance

R2(config)#access-list 110 permit ip host 172.16.10.1 172.16.20.0 0.0.0.255
R2(config)#access-list 110 deny ip 172.16.10.0 0.0.0.255
172.16.20.0 0.0.0.255
R2(config)#ip access-list extended No_Telnet
R2(config-ext-nacl)#remark Deny all of Sales from Telnetting to Marketing
R2(config-ext-nacl)#deny tcp 172.16.30.0 0.0.0.255
172.16.40.0 0.0.0.255 eq 23
R2(config-ext-nacl)#permit ip any any
58

Placing ACLs

Placing ACLs

Source 10.0.0.0/8
Destination 172.16.0.0/16

Rules
Place extended ACLs as close to the source of the traffic denied as
possible.
Place the standard ACL as close to the destination as possible.
60

Placing ACLs Extended Example

deny telnet
deny ftp
permit any
Source
10.0.0.0/8

Destination 172.16.0.0/16

Policy is to deny telnet or FTP Router A LAN to Router D LAN.

All other traffic must be permitted.

Several approaches can accomplish this policy.

The recommended approach uses an extended ACL specifying both

source and destination addresses.
61

Placing ACLs Extended Example

deny telnet
deny ftp
permit any
Source 10.0.0.0/8

Router A

Destination 172.16.0.0/16

interface fastethernet 0/1

access-group 101 in
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq telnet
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq ftp
access-list 101 permit ip any any

Place this extended ACL in Router A.

Then, packets do not cross Router A's Ethernet, do not cross the serial interfaces of
Routers B and C, and do not enter Router D.
Traffic with different source and destination addresses will still be permitted.
62

Placing ACLs Standard Example

deny 10.0.0.0
permit any
Source 10.0.0.0/8

Destination 172.16.0.0/16

Router D

interface fastethernet 0/0

access-group 10 in
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any

Standard ACLs do not specify destination addresses, so they should be placed as

close to the destination as possible.
If a standard ACL is put too close to the source, it will not only deny the intended
traffic, but all other traffic to all other networks.
63

Verify ACLs
The show ip interface command displays IP
interface information and indicates whether any ACLs
are set.
The show access-lists command displays the
contents of all ACLs.
By entering the ACL name or number as an option for this
command, you can see a specific list.

64

Firewall

Firewall

A firewall is an architectural structure that exists between the

user and the outside world to protect the internal network
from intruders.
In most circumstances, intruders come from the global
Internet and the thousands of remote networks that it
interconnects.
Typically, a network firewall consists of several different
machines that work together to prevent unwanted and illegal
access
66

Using ACL in the firewall routers

ACLs should be used in firewall routers.

The firewall router provides a point of isolation so that the rest of the
internal network structure is not affected.
You can also use ACLs on a router positioned between two parts of
the network to control traffic.
To provide the security benefits of ACLs, you should, at a minimum
configure ACLs on border routers.
67

Firewalls Example

ISPs use ACLs to deny RFC 1918 addresses into their networks as these are nonroutable Internet addresses.
IP packets coming into your network should never have a source addresses that
belong to your network. (This should be applied on all network entrance routers.)
There are several other simple access lists which should be added to network
entrance routers.
68

Good luck with this module !