Extended Access-List example on Cisco Router

Rohitendu,
You are right that telnet traffic, by default, is port 23. However, telnet will run on any port you tell it to. In the lesson, Rene told telnet to use port 80 with the following command

telnet 2.2.2.2 80 /source-interface loopback 0

Using telnet in this way to probe whether a port is open is a very useful trick that network admins use all the time in troubleshooting/verification.

19 posts were merged into an existing topic: Extended Access-List example on Cisco Router

Hi Rene,

The lesson is really great. Thank you very much for it.

I configured the network discussed. But changed loopback of R2 with another network behind R2. The access list was configured in the “out” interface of R2 to prevent all traffic except the http traffic from loopback of R1 to reach the network which replaced the loopback of R2. As expected it filters the traffic from R1 and allows http traffic from loopback of R1. To my surprise the traffic generated in R2 irrespective of it being http or ping is not filtered by the access list eventhough it is configured in the “out” interface of R2. Wonder how this can be explained.

Thank you in advance.

Regards,
Abey

Hi @abcjacob,

There is a good answer for this. Traffic generated by the local router is never matched against access-list on one of your interfaces :slight_smile:

Rene

Hi Rene,

Thanks for your very nice article …
I want to know what about the command "ip prefix-list " . It is used to classify/select traffic. Want to know more about this . Thx

I didn’t understand the Andrew statement …

ip access-list extended ACL_TELNET-CLIENT-2-SERVER
**permit tcp host <CLIENT> host <SERVER> eq 23** [Can’t understand the syntax ]

br//zaman

Here’s an example for the prefix-list:

In the extended access-list example from Andrew, is replaced with the source IP address and with the destination IP address. The last part, eq 23 is the destination port number.

For example:

SW1(config-ext-nacl)#permit tcp host 192.16.1.1 host 192.168.2.2 eq 23

Hi Rene,

Have you tackled “lock-and-key” or dynamic ACLs anywhere ? I’ve looked around and haven’t found anything but I might have missed something.

If not will you address this at some point ?

Thanks in advance for you reply !

Hi Thery,

I see I don’t have it…I did create an example a few years ago on gns3vault.com:

I’ll add it to my list and add it later.

Rene

Here’s a rather confusing one…
I was able to figure this out in the end. However, I just need confirmation that my logic is correct. I have a router with 3 interfaces. One to the default gateway (172.16.0.1), another pointing inwards (to-LAN - 10.10.10.0/24) and another pointing to another LAN (192.168.40.0/24).

When applying an extended access list to the interface and I put OUT (ip access-group 110 OUT) as the direction the access list does not apply.

However using IN on the interface (ip access-group 110 IN) this works perfectly.

I think it’s because the default route is pointing to 172.16.0.1, which is OUT and the others are seen as IN by the router.

I’ve attached the diagram below to suit. I hope this makes sense.

Regards,
Floyd
53

Hi Floyd,

You need to think about how traffic flows through your router. INBOUND and OUTBOUND only applies to the interfaces, it doesn’t have anything to do with routing.

Looking at your topology, traffic from 192.168.40.2 to 10.10.10.8 enters the Gi0/2 interface and exits the Gi0/0 interface. It never crosses the Gi0/0/0 interface.

This is why the access-list works INBOUND on your Gi0/2 interface. You can also apply it OUTBOUND on your Gi0/0 interface and it will work :slight_smile:

Does this make sense?

Hi again,
Im practicing extended access list. I have two doubts

Im blocking access to the network 172.16.108.0/24 from the network 172.16.104./24

I dont want that the PCs from network 172.16.104.0 reach the network 172.16.108.0 but I want that PCs from network 172.16.108.0 can reach any PC of the network 172.16.104.0

Can I do that?

Because when I write the following statement

Access-list 100 deny ip 172.16.104.0 0.0.0.255 ip 172.16.108.0 0.0.0.255

I block access from both networks

Hello Helen

When you create an access list, and you do not apply it anywhere, it actually does nothing. In order for it to function, you must apply it to an interface and a direction. The interface you choose and the direction you choose will directly affect the results. Let’s say you have the following topology:

**SW1**--------(Fe0/1) R (Fe0/2)----------SW2

And you have the 172.16.104.0/24 subnet connected to SW1 and the 172.16.108/24 subnet connected to SW2. Let’s call these Network A and Network B respectively.

Now, the access list you have created is correct. It will not allow access FROM Network A TO Network B. Now you have to be sure on which interface of the Router to apply it to and in which direction.

The rule of thumb for extended access lists is to place them as close as possible to the source of the traffic. In this case, this is the 172.16.104.0/24 subnet. So, the interface of the router that is closest to the source is Fe0/1.

Now, which direction? Well the flow of data you want to block is FROM Network A TO Network B, or from SW1 to SW2. From the point of view of the Fe0/1 interface, this is INCOMING traffic.

So, you should put the command ip access-group 100 in on the Fe0/1 interface of the Router.

This should allow all traffic to go from 172.16.108.0/24 to 172.16.104.0/24 but not the other way around.

Now the problem that you are facing is the fact that you cannot ping from Network A to Network B which is what you want. But when you try to ping from Network B to Network A you also cannot ping. Why? Because the ping reaches its destination, but when it comes back as a reply, it is blocked by the access list. What you need is a reflexive access list so that any session initiated by A to B will be allowed to return.

You can learn more about reflexive access lists at this lesson.

I hope this has been helpful!

Laz

Hi Rene,
I have questions regarding ACL. I have VLAN 2 192.168.1.0/24 on L3 core switch. I would like to use ACL to block only single IP 192.168.1.2 in the range to access internet. But, I want this IP to be able to access all other VLANs we have on our core (we have more than 10 vlans). Core switch has default route point to the firewall by using VLAN 3 172.16.1.1.

L3 core switch —using VLAN 3-----Firewall----Internet

ip access-list block-internet
10 deny ip host 192.168.1.2 host 172.16.1.1 (Firewall Interface)
20 Permit ip any any
Int vlan 10
ip access-group block-internet in

It did not work. what is the proper way to do it? Any ideas? Thanks in advance.

Hello Bruce,

Think of the destination IP address when that host sends traffic to something on the Internet. It’s not the IP address of the default gateway, but the IP address of whatever device on the Internet tries to reach.

If you want to make sure that 192.168.1.2 can only reach destinations in your VLANs but not go out to the Internet, you first need to permit traffic to those VLANs. For example:

permit ip host 192.168.1.2 172.16.10.0 0.0.0.255
permit ip host 192.168.1.2 172.16.11.0 0.0.0.255
permit ip host 192.168.1.2 172.16.12.0 0.0.0.255

Then deny all other traffic:

deny ip host 192.168.1.2 any

Then permit everything else if this doesn’t apply to other devices in the 192.168.1.0/24 subnet:

permit ip any any

If you can’t summary the subnet addresses of your VLANs and the number of VLANs might change sometimes then it’s not a bad idea to use an object-group in your ACL:

This example is for the ASA but it’s pretty much the same for Cisco IOS.

Hope this helps!

Rene

Hi Rene,

Thank you so much for your reply. That is exactly what I need. But, I am just curious. If I only block the traffic tcp port 80 and 443 , is it gonna work? Thank you.

  deny tcp host 192.168.1.2 any eq www
  deny tcp host 192.168.1.2 any eq 443
    permit ip any any

Hello Bruce

The access list entries that you have provided will block traffic with the following characteristics:

  1. A source IP address of 192.168.1.2
  2. Any source port
  3. Any destination IP address
  4. Specific destination ports 80 and 443.

So the access list will block any attempts of the host 192.168.1.2 to access an http or https server.

I hope this has been helpful!

Laz

Hello Rene/Laz,
I apologize because my question may not be completely relevant to the topic. However, I would really like to get some help if possible.

Would you please provide me a template for Border inbound ACL at the internet WAN router on the WAN interface? So far this is what I have found. Please let me know if I am missing anything.

ip access-list extended INBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
deny icmp any any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16..0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
permit ip any any

Thank you in advance.

Hello AZM

It’s a good start and you cover most of the issues that can affect the edge. You will also need to examine your network and see what additional traffic you can deny, that is, traffic that you know is invalid for your network. For example, if you will never have an FTP session initiated from the Internet to an internal host, you can block that particular port as well.

Take a look at this Cisco documentation that describes best practices for ACLs at the edge, as they are the first line of defense of your network:

I hope this has been helpful!

Laz

Question…
how would the ACL configuration be if I had three hosts (192.168.10.1, .2, .3) on vlan 10 which currently resides on Fa0/1 that need http access to a host (172.16.52.50) on vlan 30 on Fa2/1?

Hello Liam

First you would create the ACL that matches the traffic that you need. I’m making the following assumptions:

  • you want the three hosts on VLAN 10 to have web access to the host on VLAN 30
  • you want to deny access from the three hosts on VLAN 10 to any other service on the host on VLAN 30
  • you want to deny access from the three hosts on VLAN 10 to any other host on VLAN 30
  • you want to deny access from any other host on VLAN 10 to any other host on VLAN 30

I’m making these assumptions because, if you don’t have any access lists at all, the default behaviour of the network is to allow these hosts to have access to the web host. So essentially, you want to allow the connectivity you describe, but deny everything else.

Having said that, the ACL will look something like this:

ip access-list extended my_list
 10 permit tcp host 192.168.10.1 host 172.16.52.50 eq 80
 20 permit tcp host 192.168.10.2 host 172.16.52.50 eq 80
 30 permit tcp host 192.168.10.3 host 172.16.52.50 eq 80

You would need to specify each individual host in order to achieve what you want. You don’t require any additional configurations since any packets that don’t match the access list will be denied.

Next, you must apply this to an interface. When applying extended access lists, it is best practice to place them as close as possible to the source. So the best place to employ this access list is at the Fa0/1 interface.

I hope this has been helpful!

Laz