Setting up Access Control Lists(ACL'S) on Cisco Routers
Brian Houk: brian at brian houk dot com
Warning: The data in this document may be correct or may be incorrect, I do my best to provide you with accurate information, but I shouldn't be the source you should be checking. Cisco.com should be the source you're checking. This paper works much better as a refrence. . if that
On most Cisco routers basic traffic filtering can be done for all routed protocols. Access Lists need to be configured to define who can access what. . . Controlling Resources . . Who'd of thought with an access list. You're going to have these lists implemented at your router to control access to resources on your network. This way you can prevent certain traffic from entering or leaving the network. Access lists work by either forwarding or blocking packets at the defined interface. It determines whether to drop it or forward it based on access lists which are defined and controlled by you. A default allow stance is taken on routers to begin with. So, a packet comes in and travels it's way down the list of acl's, if it doesn't find one which specifically denies or accepts it then it is denied. Why? as soon as you add and access-list to your router, the last line in that list is always default denial of all unmatched packets. This is of course for safetys sake. ByWhy would you want ACL's? Network security of course. Now, these ACL's aren't going to provide you with the safety which a more feature-rich firewall like the cisco-pix would provide you with, this is basic filtering and for someone determined and skilled shouldn't be hard for them to evade. It's still a good idea to configure ACL's to provide an extra level of security for your network. You control which networks access which resources on your network, from accessing http to ssh, even what networks can send ICMP requests to your network.I'd reccomend configuring good ACL's on all of your routers if they're routing packets to and from the internet. It never hurts to be a little safe once in a while. Even knowing how to configure acl's correctly can help you in the event that you get DDoS'd by some kid that one of your users may have aggrivated.Types of ACL's:
To create access lists you're going to want to use the command access-list. Of course when you use this command you're going to want to be in configuration mode and either on the interface you're going to want to apply it to or in global configuration mode if you're planning on applying that ACL to every interface on the router. To create a valid access-list statement you're going to need some other information. Such as is this rule going to be a rule to deny or a rule to permit traffic with. Also what IP Address / Network that this rule is going to apply to, and what access-list-number which you're going to use with it. For a single ACL you can define multiple criteria for a packet to match.
IP 1 to 99 Transparent Bridging(proto type) 200-299 ExtendedIP 100 to 199 Extended Transparent Bridging 1100 to 1199 Ethernet type code 200 to 299 DECnet and extended DECnt 300 - 399 Ethernet Address 700 to 799 XNS 400 - 499 Transparent bridging (vendor code) 700 to 799 Extended-XNS 500-599 AppleTalk 600-699 Standard VINES 1 to 100 Source Route bridging(proto type) 700-799 Extended VINES 101 to 200 IPX 800 - 899 Simple VINES 201 to 300 Extended IPX 900-999 Source-Route bridging(vendor code) 700-799 IPX SAP 1000-1099
Standard IP Access Control Lists are by far the easiest which you're going to be using. Not that Extended IP Access Lists are much harder, just that there's less room for error in using Standard IP Access Control Lists. For Standard lists you're going to use list numbers 1 to 99 in defining your list(s). Standard Access lsits are created in the following Manner:
access-list access-list-number remark remark
for Example access-list 90 deny 10.3.2.0 0.0.0.255 would deny all connections coming in from the network 10.3.2.0 and access-list 90 deny 10.3.4.10 0.0.0.0 would deny all connections coming in from the host NOT network 10.3.4.10. So Standard Access Lists would be used pretty much only to fully deny a series of hosts and networks from accessing resources at all on your network. Look at the examples section under Standard Access Control Lists
Extended Access Lists You can filter on Source, Destination, destination port. The protocols which you can use for filtering are the following: IP, TCP, UDP, ICMP, GRE, IGRP. With extended lists you're going to use access list number range 100 - 199. There are also operators which can be used in Extended Access Lists to be more specific in your filtering. You can use lt, gt, eq, neq. Less than, greater than, equal, not equala nd a port number. Another option you can use with Extended Access Control Lists is established this allows TCP traffic to pass if the packet is using an established connection / the ACK bit is set.
Eventually you're going to have to apply your lists which you've made on your routers. I'd reccomend doing this at a time where service if interrupted will not be a large problem. So doing it to your border-router at your office at say 10:00 Am on a monday morning would not be a good time to make these changes. Before applying your list check over it again just to ensure that the rules are how you want them and that the order of the rules is correct, remembering that as soon as a packet matches one rule in the list(the first rule it comes to which it matches) it is not passed on down the list any further.
After creating your access-list and issuing it a list identification number not taken by any other list you can do the following. When in global configuration mode change to configuration of the interface you're going to apply the ACL's on. Then type ip access-group # in where # is the ACL number and in can be either in or not, depending on which you wrote the ACL for.
show ip interrface this is going to show you information on the interface, including information on ACL's.
show access-lists you can specify a number to this to show that access list or you can just use show access-lists to show all access-lists.
Here are some example ACL's some commented some not, all original IP's have been converted to protect their identity.
This is effectively denying everyone from the subnet 10.3.2.0/24 from accessing anything. So just blocking everything from them, it then is applied to interface Ethernet 0. This is An Example of a Standard Access Control List. access-list 10 deny 10.3.2.0 0.0.0.255
access-list 10 permit any
access-list 10 deny any
int e0
ip access-group 10 inAnother Commented Example of a Standard Access Control list.
access-list 11 deny 10.0.0.0 0.255.255.255
access-list 11 deny 192.168.0.0 0.0.255.255
access-list 11 deny 172.16.0.0 0.15.255.255
access-list 11 deny 127.0.0.0 0.255.255.255The three rules above will effectively block all incoming rfc1918 (Private Internet Addresses). Unless this router is used on a network which is using RFC1918 addresses these IP blocks should be denied from entering or leaving any interface.
access-list 11 permit any
int e2
ip access-group 11 inStandard Access Control List: This rule will block everyone and allow a few ranges of ip address.
192.168.3.0 - 192.168.33.0 will be allowed
10.3.0.0 - 10.210.0.0 will be allowed.
access-list 12 permit 192.168.3.0 0.0.30.255
access-list 12 permit 10.3.0.0 0.207.255.255I know, how did I get the mask, it's really simple. On the 192.168 network just took 33 and subtracted 3, easy enough? on the 10 network I took 210 - 3 and got 207. I'm sure you understand it now, if you don't I'd suggest reading it again.
Extended Access Control Lists
Block incoming telnet connections from everyone except one host.
access-list 101 permit tcp 10.3.2.1 0.0.0.0 192.168.3.0 0.0.0.255 eq 23
int e0
ip access-group 101 outthis permits 10.3.2.1 to telnet to anything on 192.168.3.0's network.
The first rule will permit any connections which have been initiated by someone on the 10.3.2.0 subnet to anywhere in the world, this will let packets with the ack bit through. The second rule will allow anyone in the routeable world to send http requests and the third will allow the same except with https requests. The fourth rule will allow 192.168.3.0's network to access ntp on our entire subnet. The next rule will allow anyone to access timed on the entire subnet. The line afterthat will allow only a certain subnet to have access to ssh on our subnet. The last two rules will allow anyone to access our two nameserver running on ip's 10.3.2.2 10.3.2.3 on our subnet.
access-list 187 permit tcp any 10.3.2.0 0.0.0.255 established
access-list 187 permit tcp any 10.3.2.0 0.0.0.255 eq 80
access-list 187 permit tcp any 10.3.2.0 0.0.0.255 eq 443
access-list 187 permit udp 192.168.3.0 0.0.0.255 10.3.2.0 0.0.0.255 eq 123
access-list 187 permit tcp any 10.3.2.0 0.0.0.255 eq 37
access-list 187 permit tcp 10.2.2.0 10.3.2.0 0.0.0.255 eq 22
access-list 187 permit udp any 10.3.2.2 0.0.0.0 eq 53
access-list 187 permit udp any 10.3.2.3 0.0.0.0 eq 53
Yes, using ACL's can and most likely will put a performance damper on your router. Some features which cisco has built into the router will no longer work when you have added access control lists. Features like fast switching, autonomous switching , distributed switching and optimal switching will not be utilized, forcing many of the packets to be process switched a process which could burden your main CPU. You'll want to keep an eye on the routers CPU utilization using the show. Ways to reduce CPU Usage in performing checks of packets against access lsits would be to keep the access lists on your routers as short as they can be. This reducing the checks which have to be done on a packet.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cdip.htm