Extended Access-List example on Cisco Router

james.h.holloman.ii · August 11, 2021, 6:45pm

I’ll give those a try.

raphael.alves · November 2, 2021, 2:09pm

Hello!!
My extended ACL does not work when using on the outbound interface.
Could you help me?

R1#sh ip access-lists drop-icmp
Extended IP access list drop-icmp
    8 deny ip host 1.1.1.1 host 2.2.2.2 log
    10 deny icmp host 192.168.12.1 2.2.2.0 0.0.0.255
    20 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255
    30 permit ip any any log

R1# sh run interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 ip access-group drop-icmp out

R1#ping 2.2.2.2 source f0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
R1#
*Mar  1 01:39:20.759: IP: tableid=0, s=192.168.12.1 (local), d=2.2.2.2 (FastEthernet0/0), routed via FIB
*Mar  1 01:39:20.759: IP: s=192.168.12.1 (local), d=2.2.2.2 (FastEthernet0/0), len 100, sending
*Mar  1 01:39:20.779: IP: tableid=0, s=2.2.2.2 (FastEthernet0/0), d=192.168.12.1 (FastEthernet0/0), routed via RIB
*Mar  1 01:39:20.779: IP: s=2.2.2.2 (FastEthernet0/0), d=192.168.12.1 (FastEthernet0/0), len 100, rcvd 3

Why does that ACL not work?

Thanks!

lagapidis · November 4, 2021, 5:57am

Hello Raphael

You have configured the ACL correctly, and your pings are performed correctly too. However, the reason why the pings are not being blocked is that ACLs will not filter locally generated traffic, that is, traffic generated by the router itself. Take a look at this NetworkLessons Note on ACLs and locally generated traffic.

I hope this has been helpful!

Laz

davidesmith681 · September 30, 2022, 8:35pm

Do outbound ACL prevent traffic that is orginated by the local router?

lagapidis · October 3, 2022, 6:46am

Hello David

No, an outbound ACL does not filter locally generated traffic. To do that you must use Control Plane Policing (CoPP). More info can be found at this NetworkLessons note about ACLs filtering locally generated traffic.

For more information about CoPP take a look at this lesson:

I hope this has been helpful!

Laz

davidguillo87 · March 8, 2023, 4:49pm

Thanks for this lesson, is ACL editor also available for standard ACL or is that a specific feature of Extended ACL?

lagapidis · March 13, 2023, 9:12am

Hello David

The ACL editor is available for both extended and standard ACLs. You can enter the ACL editor for standard ACLs like so:

R1(config)#ip access-list standard 50
R1(config-std-nacl)#?
Standard Access List configuration commands:
  <1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment

R1(config-std-nacl)#

Just make sure that the ACL number used is a valid standard ACL number, otherwise you will get an error message like so:

R1(config)#ip access-list standard 150
% 
% Invalid access list name.
R1(config)#

I hope this has been helpful!

Laz

barakat_alhamzi · September 2, 2023, 11:25pm

I think there is something in Extended like
range , eq , gt , it , neq that use with ports i hope you add something about them

good site for creat access-list via easy inputs
https://www.dragonelf.net/cidr-acl/acl+iptables-form.php?formtype=IOS

lagapidis · September 7, 2023, 6:52am

Hello Barakat

I have created a NetworkLessons note on the topic of ACL operators that you can take a look at. Hopefully, that will be beneficial for you.

In the meantime, if you have any suggestions for particular lessons or topics, or if you think that certain content should be added, please feel free to use the Member Ideas page below:

There you may find that others have made similar suggestions, and you can add your voice to theirs.

I hope this has been helpful!

Laz

a.pokorskiy · December 6, 2023, 9:51pm

Hi Rene,
What the command I should use to open ACL from source to destination for multiple ports:
permit tcp host <src IP> <dst IP> **eq** 135, 445, 17778, 177790 ?

Thank you
Sincerely,
Andrey P

lagapidis · December 8, 2023, 6:43am

Hello Andrey

The syntax for the access list command doesn’t allow you to add multiple port numbers on the same line. You would have to enter a different ACL entry for each port number that you want to involve. For example, if you want to permit TCP traffic on ports 80, 443, and 8080, then you would have to do something like this:

R1(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80 
R1(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 443
R1(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 8080

The resulting config in the running-config file would be:

access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www
access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 443
access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 8080

In a similar way, you can’t apply multiple operators such as eq, lt, gt and so on. Does that make sense?

I hope this has been helpful!

Laz