Extended Access Control Lists (ACLs)

Extended Access Control Lists (ACLs) allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very granular and allows you to be very specific.

If you intend to create a packet filtering firewall to protect your network it is an Extended ACL that you will need to create.

The example that will be used includes a router that is connected to the 192.168.8.0/24 segment on an internal interface (FastEthernet 0/0) using address 192.168.8.1/24, and to the 10.0.2.0/24 segment on an external interface (FastEthernet 0/1) using address 10.0.2.1/24.

In this case, you would manage the 192.168.8.0/24 network and some unknown and untrusted group manages the rest of the network, as shown. On this network, you want to allow users to access only web servers outside the network. In order to support this, you need to create two ACLs, 101 and 102.

image0.jpg

You use access-list 101 to manage the traffic leaving the office and access-list 102 to manage traffic coming from the untrusted network into the office.

Creating ACL 101

Router1>enable
Password:
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 101 remark This ACL is to control the outbound router traffic.
Router1(config)#access-list 101 permit tcp 192.168.8.0 0.0.0.255 any eq 80
Router1(config)#access-list 101 permit tcp 192.168.8.0 0.0.0.255 any eq 443
Router1(config)#end

Creating ACL 102

Router1>enable
Password:
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 102 remark This ACL is to control the inbound router traffic.
Router1(config)#access-list 102 permit tcp any 192.168.8.0 0.0.0.255 established
Router1(config)#end

If you examine ACL 101, the breakdown on the format of the command is as follows:

  • The ACL is number 101

  • It permits traffic

  • It allows TCP traffic

  • The source that it is allowed from is defined by 192.168.8.0 with a wildcard mask of 0.0.0.255

  • The destination host is any host

  • The TCP traffic that is allowed is on port 80

  • The second line is the same, but it allows traffic on TCP port 443

If you do the same examination of the second ACL, ACL 102, you should end up with the following:

  • The ACL is number 102

  • It permits traffic

  • It allows TCP traffic

  • The source that it is allowed from is any host

  • The destination host is defined by 192.168.8.0 with a wildcard mask of 0.0.0.255

  • The TCP traffic that is allowed is any traffic on an established session

The last item on ACL 102 is something to look at a bit more. In the following illustration, a client computer on the 192.168.8.0/24 network has created a TCP session with a remote server. This TCP session had a handshaking process that established what ports were going to be used, which was a randomly chosen port on the client and port 80 on the server.

The port that is used in the ACE is dependent on the destination address, and in this case, the destination port is a randomly chosen port on the client. Rather than specifying that every possible port is open, which would not be secure, the option is to say that any established session on the client is allowed. Therefore, if the client opens the connection, this ACL will allow the traffic to come back in.

image1.jpg
blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.