NetworkClue.com
NetworkClue Home PageHome Contact UsContact ConsultingConsult
Bulletin Board
Internet Services covers Secrets to hosting websites, Hosting your own web server, and using DNS Servers.Operating Systems leads you through the decision of Linux vs. Windows, ideal installations and setups to create an efficient and redundant environment for your business, and great features to make management easier.Routing & Firewalls contains articles that will allow you to take control of your router. Learn how to protect your company with access lists and advanced firewall techniques.Hardware answers the common questions about Switches vs. Hubs, recommends SysAdmin Tools, and recommendations for adequate power protection.Utilities will cover fighting spam, using Anti-Virus programs effectively and the must haves for every administrator's software toolbox.

Firewalls
Cisco
-Cisco IOS
-Cisco Access Lists
-Applying ACLs
-Editing ACLs
-Advanced ACLs
-Compression
Network Equipment
TCP/IP
Search
Amazon Search

Bulletin Board

Advanced Cisco Access Control Lists (ACLs)

By Joshua Erdman
Digital Foundation, inc.

Before you try to read up on this article, be sure you are familiar with the terms and ideas. Recall the ACL basics. It covers how ACLs are made and when to use a standard ACL vs. an extended one.

Reusing our example:

Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

We will create an ACL that allows the users in our office to access the internet using a range of common ports. As you can see in the example above, we have been just specifying individual ports.

Port Ranges

In the example you see the letters 'eq' before the port is declared. This is short for 'equal to'. Other ones include:

  • gt - Greater Than followed by the port number.
  • lt - Less Than followed by the port number
  • range - To specify an inclusive port range
    after the keyword range put in the first port in the range followed by a space and then the last port in the range.

Commenting

As your access lists grow and become more complex it is a great idea to add comments. Adding a comment is as simple as beginning the comment line with an exclamation point.

Filter Masks

First be sure that you brush up on your binary and read our article on TCP/IP Addressing and Calculating Subnet Masks. You must first have a good grasp of the use of binary to calculate subnet masks.

Using filter masks allow you to group IP Addresses together instead of having to specify each IP address individually. So for example, if you were to have five servers and all their addresses were 10.10.10.1 - 10.10.10.5 it is easy to grant or deny access to all 5 with only one line in the access list. If you have the addresses scattered you either have to make 5 separate entries or change the IPs of the servers.

The way you specify a group of IP addresses is very similar to how a subnet mask is used, except that the 1s and 0s are inversed. For example, all the web servers on our sample network fall in the subnet of 10.10.10.1 - 10.10.10.15 (if this was a subnet mask it would be: 255.255.255.240). We would never assign the servers this subnet mask because we want the workstations (using addresses 10.10.10.65-10.10.10.254) to talk directly to the servers. This prevents our router from being taxed. But now that we know the equivalent subnet mask for this ip block of servers, we can easily create the access-list filter mask, which is 0.0.0.15 As I mentioned earlier the filter mask is the opposite of the subnet mask. Here is how it looks in binary:

    128 64 32 16|8 4 2 1
SM    1  1  1  1|0 0 0 0=240
FM    0  0  0  0|1 1 1 1=15

Clue: If you put the servers and workstations on 2 different network blocks the router will have an insane amount of traffic to route. Definitely not a good idea.

With filter masks you can almost easily guess the correct value as long as the numbers in the filter mask are a power of 2 minus 1. IFor example, I know that my web servers aregrouped in the first 15 IP addresses. The smallest power of two that 15 can fit into is 16. Then subtract 1 and my filter mask is 0.0.0.15

Filter Masks in Access Lists

So if I wanted to permit all incoming web traffic requests to my web servers (To prevent any Internet access to Rogue web servers on employee's workstations). I would enter this line in the access list:

!Permit HTTP port 80 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 80

!Permit HTTPS port 443 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 443

Many, Many ACLs

When I last worked for an ISP we had several connections terminating into one router. To make things as secure as possible I made 2 access lists for each interface. One for incomming traffic and one for outgoing. Keeping track of all this quickly became a nightmare. What I did to help was to have a notepad text file for each access list. At the top of each access list was the function of each access list, a description of the lastest modifications, modification date and who made the modification.

Article last reviewed: 04/21/2004

Created by: Digital Foundation, inc.

Copyright © 2002-2005 Digital Foundation, inc. www.networkclue.com

All content of the NetworkClue website is copyrighted. Articles, notes, outlines, and all other materials may not be stored on the Internet or sold or placed by themselves or with other material in any electronic or printed format in whole or part. However materials may be referenced by links to the site.

 

Related Articles:
Access Control List Samples
Access Control Lists
Editing ACLs
Applying ACLs

Books:



 

 

Cisco Forum Participate in
our forum on
Network Hardware



Top Articles:
Windows 2000/XP
    Commands
Unattended Installations
Subnet Masks
Cisco Access Lists
Network Wiring