Extended Access Lists – CCNA Course

Extended Access Lists - CCNA Course

In the standard IP access list example, you can notice how you have to block all access from the Sales LAN to the finance department. What if you needed sales to gain access to a certain server on the finance LAN but not to other network services, for security reasons? With the standard IP access list, you can’t allow users to get to one network service and not another. Said another way, when you need to make decisions based on both source and destination addresses, a standard access list won’t allow you to do that since it only makes decisions based on source address.

But an extended access list will hook you up. That’s because extended access lists allow you to specify the source and destination address as well as the protocol and port number that identifies the upper-layer protocol or application. By using an extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing a specific host or even specific services on those hosts.

Here’s an example of an extended IP access list:

Corp(config)#access-list ?
<1-99>                                  IP standard access list
<100-199>                           IP extended access list
<1100-1199>                      Extended 48-bit MAC address access list
<1300-1999>                      IP standard access list (expanded range)
<200-299>                           Protocol type-code access list
<2000-2699>                      IP extended access list (expanded range)
<700-799>                           48-bit MAC address access list
Compiled                            Enable IP access-list compilation
Dynamic-extended         Extend the dynamic ACL absolute timer
Rate-limit                           simple rate-limit specific access list

The first command shows the access-list numbers available. You’ll use the extended access-list range from 100 to 199. Be sure to notice that the range 20002699 is also available for extended IP access lists.

At this point, you need to decide what type of list entry you are making. For this example, you’ll choose a deny list entry.

Corp(config)#access-list 110 ?
Deny                                     specify packets to reject
Dynamic                              specify a DYNAMIC list of PERMITs or DENYs
Permit                                  specify packets to forward
Remark                                                access list entry comment

Once you choose the access-list type, you then need to select a protocol field entry.

Corp(config)#access-list 110 deny ?
<0-255>                                                An IP Protocol number
Ahp                                                        authentication header protocol
Eigrp                                                      Cisco’s EIGRP routing protocol
Esp                                                         encapsulation security payload
Gre                                                        cisco’s GRE tunnelling
Icmp                                                      internet control message protocol
Igmp                                                      interent gateway message protocol
Ip                                                            any internet protocol
Ipinip                                                    IP in IP tunnelling
Nos                                                        KA9Q NOS compatible IP over IP tunnelling
Ospf                                                      OSPF routing protocol
Pcp                                                         payload compression protocol
Pim                                                        protocol independent multicast
Tcp                                                         transmission control protocol
Udp                                                       user diagram protocol

Here, you’ll choose to filter an Application Layer protocol that uses TCP by selecting TCP as the protocol. You’ll specify the specific TCP port later. next, you will be prompted for the source IP address of the host network (you can choose the any command to allow any source address):

Corp(config)#access-list 110 deny tcp ?
A.B.C.D                                 source address
Any                                        any source host
Host                                      a single source host

After the source address is selected, the destination address is chosen:

Corp(config)#access-list 110 deny tcp any ?
A.B.C.D                                 destination address any Any destination host
Eq                                           match only packets on a given port number
Gt                                           match only packets with a greater port number
Host                                      a single destination host
Lt                                            match only packets with a lower port number
Neq                                       match only pacekts not on a given port number
Range                                   match only packets in the range of port numbers

In the following example, any source IP address that has a destination IP address of 172.16.30.2 has been denied.

Corp(config)#access-list 110 deny tcp any host 172.16.30.2 ?
Ack                                         match on the ACK bit
Dscp                                      match packets with given dscp value
Eq                                           match only packets on a given port number
Established                        match established connections
Fin                                          match on the FIN bit
Fragments                          check non-initial fragments
Gt                                           match only packets with a greater port number
Log                                         log matches against this entry
Log-input                            log matches against this entry, including input interface
Lt                                            match only packets with a lower port number
Neq                                       match only packets with given precedence value
Psh                                         match on the PSH bit
Range                                   match only packets in the range of port numbers
Rst                                          match on the RST bit
Syn                                         match on the SYN bit
Time-range                        specify a time-range
Tos                                         match packets with given TOS value
Urg                                         match on the URG bit
<cr>

You can press enter here and leave the access list as it is. But if you do that, all TCP traffic to host 172.16.30.2 will be denied, regardless of the destination port. You can be even more specific once you have the host addresses in place, just specify the type of service you are denying.

The following help screen shows you the available options. You can choose a port number or use the application or protocol name:

Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq ?
<0-65535>                           port number
Bgp                                        border gateway protocol (179)
Chargen                               Character Generator (19)
Cmd                                       Remote commands (tcmd, 514)
Daytime                               daytime (13)
Discard                                 Discard (9)
Domain                                                domain name service (53)
Drip                                       dynamic routing information protocol (3949)
Echo                                      Echo (7)
Exec                                       Exec (rsh, 512)
Finger                                   finger (79)
ftp                                          file transfer protocol (21)
ftp-data                               FTP data connections (20)
gopher                                 gopher (70)
hostname                           NIC hostname server (101)
ident                                     ident protocol (113)
irc                                           internet relay chat (194)
klogin                                   Kerberos login (543)
kshell                                    Kerberos shell (544)
login                                      login (rlogin, 513)
lpd                                         printer service (515)
nntp                                      network news transport protocol (119)
pim-auto-rp                       PIM auto-RP (496)
pop2                                      Post Office Protocol v2 (109)
pop3                                      Post Office Protocol v3 (110)
smtp                                      simple mail transport protocol (25)
sunrpc                                  sun remote procedure call (111)
syslog                                   syslog (514)
tacacs                                    TAC access control system (49)
talk                                        talk (517)
telnet                                   telnet (23)
time                                      Time (37)
uucp                                      Unix-to-Unix copy program (540)
whois                                    Nicname (43)
www                                     World Wide Web (HTTP, 80)

at this point, let’s block Telnet (port 23) to host 172.16.30.2 only. If the users want to FTP, fine that’s allowed. The log command is used to log a message every time the access list is hit. This can be an extremely cool way to monitor inappropriate access attempts. Here is how to do this:

corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

you need to keep in mind that the next line is an implicit deny any by default. If you apply this access list to an interface, you might as well just shut the interface down since by default there is an implicit deny all at the end of every access list. You’ve got to follow up the access list with the following command:

corp(config)#access-list 110 permit ip any any

Remember, the 0.0.0.0 255.255.255.255 is the same command as any, so the command could look like this:

Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255
255.255.255.255

Once the access list is created, you need to apply it to an interface (it’s the same command as the IP standard list):

Corp(config-if)#ip access-group 110 in

Or this:

Corp(config-if)#ip access-group 110 out

In the following section, we’ll look at an example of how to use an extended access list.

Extended Access List Example

Using the following picture below, let’s use the same network and deny access to a host at 172.16.30.5 on the Finance Department LAN for both Telnet and FTP services. All other services on this and all other hosts are acceptable for the sales and marketing departments to access.

Extended Access Lists - CCNA Course

The following access list should be created:

Lab_A#config t
Lab_A(config)#access-list 110 deny tcp any host
172.16.30.5 eq 21
Lab_A(config)#access-list 110 deny tcp any host
172.16.30.5 eq 23
Lab_A(config)#access-list 110 permit ip any any

The access-list 110 tells the router you are creating an extended IP access list. The tcp is the protocol field in the network layer header. If the list doesn’t say tcp here, you cannot filter by port numbers 21 and 23 as shown in the example. (these are FTP and Telnet, and they both use TCP for connection-oriented services). The any command is the source, which means any IP address, and the host is the destination IP address.

After the list is created, it needs to be applied to the Ethernet 1 interface outbound. This applies the policy we created to all hosts and effectively blocks all FTP and Telnet access to 172.16.30.5 from outside the local LAN. If this list were created to only block access from the sales LAN,  then we’d have put this list closer to the source, or on Ethernet interface 0. So, in this situation, we’d apply the list to inbound traffic.

Let’s go ahead and apply the list to interface E1 and block all outside FTP and Telnet access to the host:

Lab_A(config-if)#ip access-group 110 out

Extended access list Example 2

In this example, we’ll again use the same picture, which has four LANs and a serial connection. What we need to do is stop Telnet access to the networks attached to the Ethernet 1 and Ethernet 2 interfaces. If we only used one access list, it would not be a very effective one because of the latency that will be caused on the Ethernet 1 and 2 interfaces (since every packet going out these interfaces must be looked at), but if we used two lists, the latency could be less on each interface if configured correctly. However, since we are studying the CCNA objectives, we’re going to look at this with only one access list.

The configuration on the router would look something like this, although the answer can vary.

Router(config)#access-list 110 deny tcp any 172.116.48.0 0.0.15.255 eq 23
Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23
Router(config)#access-list 110 permit ip any any
Router(config)#interface Ethernet 1
Router(config-if)#ip access-group 110 out
Router(config-if)#interface Ethernet 2
Router(config-if)#ip access-group 110 out

The important information that you need to understand from this list is as follows: first, you need to verify that the number range is correct for the type of access list you are creating in this example it’s extended, so the range must be 100199. Second, you need to verify that the protocol field matches the upper-layer process or application in this example, port 23 (Telnet).

The protocol parameter must be TCP since Telnet uses TCP. If the question stated to use TFTP, for example, then the protocol parameter would have to be UDP since TFTP uses UDP. Third, verify that the destination port number matches the application you are filtering for in this case, port 23 matches Telnet, which is correct. Finally, the test statement permits ip any any is important to have at the end of the list to enable all packets other than Telnet packets destined for the LANs connected to Ethernet 1 and 2.