In the standard IP access list example, you can notice how you have to block all access from the Sales LAN to the finance department. What if you needed sales to gain access to a certain server on the finance LAN but not to other network services, for security reasons? With the standard IP access list, you can’t allow users to get to one network service and not another. Said another way, when you need to make decisions based on both source and destination addresses, a standard access list won’t allow you to do that since it only makes decisions based on source address.
But an extended access list will hook you up. That’s because extended access lists allow you to specify the source and destination address as well as the protocol and port number that identifies the upper-layer protocol or application. By using an extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing a specific host or even specific services on those hosts.
Here’s an example of an extended IP access list:
Corp(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list Compiled Enable IP access-list compilation Dynamic-extended Extend the dynamic ACL absolute timer Rate-limit simple rate-limit specific access list
The first command shows the access-list numbers available. You’ll use the extended access-list range from 100 to 199. Be sure to notice that the range 20002699 is also available for extended IP access lists.
At this point, you need to decide what type of list entry you are making. For this example, you’ll choose a deny list entry.
Corp(config)#access-list 110 ? Deny specify packets to reject Dynamic specify a DYNAMIC list of PERMITs or DENYs Permit specify packets to forward Remark access list entry comment
Once you choose the access-list type, you then need to select a protocol field entry.
Corp(config)#access-list 110 deny ? <0-255> An IP Protocol number Ahp authentication header protocol Eigrp Cisco’s EIGRP routing protocol Esp encapsulation security payload Gre cisco’s GRE tunnelling Icmp internet control message protocol Igmp interent gateway message protocol Ip any internet protocol Ipinip IP in IP tunnelling Nos KA9Q NOS compatible IP over IP tunnelling Ospf OSPF routing protocol Pcp payload compression protocol Pim protocol independent multicast Tcp transmission control protocol Udp user diagram protocol
Here, you’ll choose to filter an Application Layer protocol that uses TCP by selecting TCP as the protocol. You’ll specify the specific TCP port later. next, you will be prompted for the source IP address of the host network (you can choose the any command to allow any source address):
Corp(config)#access-list 110 deny tcp ? A.B.C.D source address Any any source host Host a single source host
After the source address is selected, the destination address is chosen:
Corp(config)#access-list 110 deny tcp any ? A.B.C.D destination address any Any destination host Eq match only packets on a given port number Gt match only packets with a greater port number Host a single destination host Lt match only packets with a lower port number Neq match only pacekts not on a given port number Range match only packets in the range of port numbers
In the following example, any source IP address that has a destination IP address of 172.16.30.2 has been denied.
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 ? Ack match on the ACK bit Dscp match packets with given dscp value Eq match only packets on a given port number Established match established connections Fin match on the FIN bit Fragments check non-initial fragments Gt match only packets with a greater port number Log log matches against this entry Log-input log matches against this entry, including input interface Lt match only packets with a lower port number Neq match only packets with given precedence value Psh match on the PSH bit Range match only packets in the range of port numbers Rst match on the RST bit Syn match on the SYN bit Time-range specify a time-range Tos match packets with given TOS value Urg match on the URG bit <cr>
You can press enter here and leave the access list as it is. But if you do that, all TCP traffic to host 172.16.30.2 will be denied, regardless of the destination port. You can be even more specific once you have the host addresses in place, just specify the type of service you are denying.
The following help screen shows you the available options. You can choose a port number or use the application or protocol name:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq ? <0-65535> port number Bgp border gateway protocol (179) Chargen Character Generator (19) Cmd Remote commands (tcmd, 514) Daytime daytime (13) Discard Discard (9) Domain domain name service (53) Drip dynamic routing information protocol (3949) Echo Echo (7) Exec Exec (rsh, 512) Finger finger (79) ftp file transfer protocol (21) ftp-data FTP data connections (20) gopher gopher (70) hostname NIC hostname server (101) ident ident protocol (113) irc internet relay chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login login (rlogin, 513) lpd printer service (515) nntp network news transport protocol (119) pim-auto-rp PIM auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp simple mail transport protocol (25) sunrpc sun remote procedure call (111) syslog syslog (514) tacacs TAC access control system (49) talk talk (517) telnet telnet (23) time Time (37) uucp Unix-to-Unix copy program (540) whois Nicname (43) www World Wide Web (HTTP, 80)
at this point, let’s block Telnet (port 23) to host 172.16.30.2 only. If the users want to FTP, fine that’s allowed. The log command is used to log a message every time the access list is hit. This can be an extremely cool way to monitor inappropriate access attempts. Here is how to do this:
corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
you need to keep in mind that the next line is an implicit deny any by default. If you apply this access list to an interface, you might as well just shut the interface down since by default there is an implicit deny all at the end of every access list. You’ve got to follow up the access list with the following command:
corp(config)#access-list 110 permit ip any any
Remember, the 0.0.0.0 255.255.255.255 is the same command as any, so the command could look like this:
Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 255.255.255.255
Once the access list is created, you need to apply it to an interface (it’s the same command as the IP standard list):
Corp(config-if)#ip access-group 110 in
Corp(config-if)#ip access-group 110 out
In the following section, we’ll look at an example of how to use an extended access list.
Extended Access List Example
Using the following picture below, let’s use the same network and deny access to a host at 172.16.30.5 on the Finance Department LAN for both Telnet and FTP services. All other services on this and all other hosts are acceptable for the sales and marketing departments to access.
The following access list should be created:
Lab_A#config t Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 23 Lab_A(config)#access-list 110 permit ip any any
The access-list 110 tells the router you are creating an extended IP access list. The tcp is the protocol field in the network layer header. If the list doesn’t say tcp here, you cannot filter by port numbers 21 and 23 as shown in the example. (these are FTP and Telnet, and they both use TCP for connection-oriented services). The any command is the source, which means any IP address, and the host is the destination IP address.
After the list is created, it needs to be applied to the Ethernet 1 interface outbound. This applies the policy we created to all hosts and effectively blocks all FTP and Telnet access to 172.16.30.5 from outside the local LAN. If this list were created to only block access from the sales LAN, then we’d have put this list closer to the source, or on Ethernet interface 0. So, in this situation, we’d apply the list to inbound traffic.
Let’s go ahead and apply the list to interface E1 and block all outside FTP and Telnet access to the host:
Lab_A(config-if)#ip access-group 110 out
Extended access list Example 2
In this example, we’ll again use the same picture, which has four LANs and a serial connection. What we need to do is stop Telnet access to the networks attached to the Ethernet 1 and Ethernet 2 interfaces. If we only used one access list, it would not be a very effective one because of the latency that will be caused on the Ethernet 1 and 2 interfaces (since every packet going out these interfaces must be looked at), but if we used two lists, the latency could be less on each interface if configured correctly. However, since we are studying the CCNA objectives, we’re going to look at this with only one access list.
The configuration on the router would look something like this, although the answer can vary.
Router(config)#access-list 110 deny tcp any 126.96.36.199 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out
The important information that you need to understand from this list is as follows: first, you need to verify that the number range is correct for the type of access list you are creating in this example it’s extended, so the range must be 100199. Second, you need to verify that the protocol field matches the upper-layer process or application in this example, port 23 (Telnet).
The protocol parameter must be TCP since Telnet uses TCP. If the question stated to use TFTP, for example, then the protocol parameter would have to be UDP since TFTP uses UDP. Third, verify that the destination port number matches the application you are filtering for in this case, port 23 matches Telnet, which is correct. Finally, the test statement permits ip any any is important to have at the end of the list to enable all packets other than Telnet packets destined for the LANs connected to Ethernet 1 and 2.