In the standard IP access list example, you can notice how you have to block all access from the Sales LAN to the finance department. What if you needed sales to gain access to a certain server on the finance LAN but not to other network services, for security reasons? With the standard IP access list, you can’t allow users to get to one network service and not another. Said another way, when you need to make decisions based on both source and destination addresses, a standard access list won’t allow you to do that since it only makes decisions based on source address.
But an extended access list will hook you up. That’s because extended access lists allow you to specify the source and destination address as well as the protocol and port number that identifies the upper-layer protocol or application. By using an extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing a specific host or even specific services on those hosts.
Here’s an example of an extended IP access list:
Corp(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
Compiled Enable IP access-list compilation
Dynamic-extended Extend the dynamic ACL absolute timer
Rate-limit simple rate-limit specific access listThe first command shows the access-list numbers available. You’ll use the extended access-list range from 100 to 199. Be sure to notice that the range 20002699 is also available for extended IP access lists.
At this point, you need to decide what type of list entry you are making. For this example, you’ll choose a deny list entry.
Corp(config)#access-list 110 ?
Deny specify packets to reject
Dynamic specify a DYNAMIC list of PERMITs or DENYs
Permit specify packets to forward
Remark access list entry commentOnce you choose the access-list type, you then need to select a protocol field entry.
Corp(config)#access-list 110 deny ?
<0-255> An IP Protocol number
Ahp authentication header protocol
Eigrp Cisco’s EIGRP routing protocol
Esp encapsulation security payload
Gre cisco’s GRE tunnelling
Icmp internet control message protocol
Igmp interent gateway message protocol
Ip any internet protocol
Ipinip IP in IP tunnelling
Nos KA9Q NOS compatible IP over IP tunnelling
Ospf OSPF routing protocol
Pcp payload compression protocol
Pim protocol independent multicast
Tcp transmission control protocol
Udp user diagram protocolHere, you’ll choose to filter an Application Layer protocol that uses TCP by selecting TCP as the protocol. You’ll specify the specific TCP port later. next, you will be prompted for the source IP address of the host network (you can choose the any command to allow any source address):
Corp(config)#access-list 110 deny tcp ?
A.B.C.D source address
Any any source host
Host a single source hostAfter the source address is selected, the destination address is chosen:
Corp(config)#access-list 110 deny tcp any ?
A.B.C.D destination address any Any destination host
Eq match only packets on a given port number
Gt match only packets with a greater port number
Host a single destination host
Lt match only packets with a lower port number
Neq match only pacekts not on a given port number
Range match only packets in the range of port numbersIn the following example, any source IP address that has a destination IP address of 172.16.30.2 has been denied.
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 ?
Ack match on the ACK bit
Dscp match packets with given dscp value
Eq match only packets on a given port number
Established match established connections
Fin match on the FIN bit
Fragments check non-initial fragments
Gt match only packets with a greater port number
Log log matches against this entry
Log-input log matches against this entry, including input interface
Lt match only packets with a lower port number
Neq match only packets with given precedence value
Psh match on the PSH bit
Range match only packets in the range of port numbers
Rst match on the RST bit
Syn match on the SYN bit
Time-range specify a time-range
Tos match packets with given TOS value
Urg match on the URG bit
<cr>You can press enter here and leave the access list as it is. But if you do that, all TCP traffic to host 172.16.30.2 will be denied, regardless of the destination port. You can be even more specific once you have the host addresses in place, just specify the type of service you are denying.
The following help screen shows you the available options. You can choose a port number or use the application or protocol name:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq ?
<0-65535> port number
Bgp border gateway protocol (179)
Chargen Character Generator (19)
Cmd Remote commands (tcmd, 514)
Daytime daytime (13)
Discard Discard (9)
Domain domain name service (53)
Drip dynamic routing information protocol (3949)
Echo Echo (7)
Exec Exec (rsh, 512)
Finger finger (79)
ftp file transfer protocol (21)
ftp-data FTP data connections (20)
gopher gopher (70)
hostname NIC hostname server (101)
ident ident protocol (113)
irc internet relay chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login login (rlogin, 513)
lpd printer service (515)
nntp network news transport protocol (119)
pim-auto-rp PIM auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp simple mail transport protocol (25)
sunrpc sun remote procedure call (111)
syslog syslog (514)
tacacs TAC access control system (49)
talk talk (517)
telnet telnet (23)
time Time (37)
uucp Unix-to-Unix copy program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)at this point, let’s block Telnet (port 23) to host 172.16.30.2 only. If the users want to FTP, fine that’s allowed. The log command is used to log a message every time the access list is hit. This can be an extremely cool way to monitor inappropriate access attempts. Here is how to do this:
corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 logyou need to keep in mind that the next line is an implicit deny any by default. If you apply this access list to an interface, you might as well just shut the interface down since by default there is an implicit deny all at the end of every access list. You’ve got to follow up the access list with the following command:
corp(config)#access-list 110 permit ip any anyRemember, the 0.0.0.0 255.255.255.255 is the same command as any, so the command could look like this:
Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255
255.255.255.255Once the access list is created, you need to apply it to an interface (it’s the same command as the IP standard list):
Corp(config-if)#ip access-group 110 inOr this:
Corp(config-if)#ip access-group 110 outIn the following section, we’ll look at an example of how to use an extended access list.
Extended Access List Example
Using the following picture below, let’s use the same network and deny access to a host at 172.16.30.5 on the Finance Department LAN for both Telnet and FTP services. All other services on this and all other hosts are acceptable for the sales and marketing departments to access.
The following access list should be created:
Lab_A#config t
Lab_A(config)#access-list 110 deny tcp any host
172.16.30.5 eq 21
Lab_A(config)#access-list 110 deny tcp any host
172.16.30.5 eq 23
Lab_A(config)#access-list 110 permit ip any any
The access-list 110 tells the router you are creating an extended IP access list. The tcp is the protocol field in the network layer header. If the list doesn’t say tcp here, you cannot filter by port numbers 21 and 23 as shown in the example. (these are FTP and Telnet, and they both use TCP for connection-oriented services). The any command is the source, which means any IP address, and the host is the destination IP address.
After the list is created, it needs to be applied to the Ethernet 1 interface outbound. This applies the policy we created to all hosts and effectively blocks all FTP and Telnet access to 172.16.30.5 from outside the local LAN. If this list were created to only block access from the sales LAN, then we’d have put this list closer to the source, or on Ethernet interface 0. So, in this situation, we’d apply the list to inbound traffic.
Let’s go ahead and apply the list to interface E1 and block all outside FTP and Telnet access to the host:
Lab_A(config-if)#ip access-group 110 out
Extended access list Example 2
In this example, we’ll again use the same picture, which has four LANs and a serial connection. What we need to do is stop Telnet access to the networks attached to the Ethernet 1 and Ethernet 2 interfaces. If we only used one access list, it would not be a very effective one because of the latency that will be caused on the Ethernet 1 and 2 interfaces (since every packet going out these interfaces must be looked at), but if we used two lists, the latency could be less on each interface if configured correctly. However, since we are studying the CCNA objectives, we’re going to look at this with only one access list.
The configuration on the router would look something like this, although the answer can vary.
Router(config)#access-list 110 deny tcp any 172.116.48.0 0.0.15.255 eq 23
Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23
Router(config)#access-list 110 permit ip any any
Router(config)#interface Ethernet 1
Router(config-if)#ip access-group 110 out
Router(config-if)#interface Ethernet 2
Router(config-if)#ip access-group 110 outThe important information that you need to understand from this list is as follows: first, you need to verify that the number range is correct for the type of access list you are creating in this example it’s extended, so the range must be 100199. Second, you need to verify that the protocol field matches the upper-layer process or application in this example, port 23 (Telnet).
The protocol parameter must be TCP since Telnet uses TCP. If the question stated to use TFTP, for example, then the protocol parameter would have to be UDP since TFTP uses UDP. Third, verify that the destination port number matches the application you are filtering for in this case, port 23 matches Telnet, which is correct. Finally, the test statement permits ip any any is important to have at the end of the list to enable all packets other than Telnet packets destined for the LANs connected to Ethernet 1 and 2.