Cisco access lists are used to selectively pass or block traffic received by a Cisco router. They are useful for controlling traffic that attempts to pass your network perimeter. Since a router is typically used to segregate or partition network segments anyway (such as separate your network from a business partner or the Internet), you can see why these devices contain some form of advanced filtering capability.
Cisco routers provide two methods of filtering traffic. The simplest is the standard access list, while
extended access lists are used for more granular control. Once an access list is created, it is applied to
a specific interface on the router. The access list is then told to screen either inbound network traffic (traffic coming from the attached network to the interface) or out-bound network traffic (traffic leaving the router and headed towards the attached network). This ability to filter either inbound or outbound traffic can be a real time saver in complex configurations.
Access List Basics
Access lists are generated by creating a number of test conditions that become associated with list identifier numbers. Access lists are created while in global configuration mode and use the following syntax:
access-list {list #} permit/deny {test condition}
You would repeat this command for every test condition you wish to use in order to screen traffic (such as allow SMTP, deny HTTP, and so on). The list number you use identifies which protocol you would like to apply these rules to. Table 6.3 shows some of the protocols that can be filtered, along with the list numbers associated with them.
TABLE 6.3Cisco Access Control Lists
Protocol List Type Range Identifier
IP Standard 1–99
IP Extended 100–199
AppleTalk N/A 600–699
Ethernet Addresses N/A 700–799
IPX Standard 800–899
IPX Extended 1000–1099
Notice that only one type of filtering is supported for certain protocols. As of Cisco IOS 11.2 and higher, the range identifiers used by IP can be replaced by an alphanumeric name. This name can be up to 64 characters long but must start with an alphabetic character. The name must be unique, and each name can only describe a single set of standard or extended filters. You cannot combine the two. The syntax for creating an access list name is
IP access-list standard/extended {name}
Using names instead of access list numbers can be extremely beneficial. Doing so extends the number of unique lists you can create and allows you to associate a descriptive name to a particular set of filters (such as “spoofing”). Also, reflexive filters can only be associated with an access list name. You cannot use an access list identifier number.
Access lists will be processed in the order you create them: if you create five filter conditions and place them in the same access list, the router will evaluate each condition in the order it was created until the first match is found. Conditions are processed as “first fit,” not “best fit,” so it is important to pay close attention to the order you use. For example, let’s say you have an access list that states
• Allow all internal systems full IP access to the Internet. • Do not let any internal systems telnet to hosts on the Internet.
Previous Table of Contents Next
Previous Table of Contents Next
Since the first rule states, “All outbound traffic is OK,” you would never actually make it to the second rule. This means that your internal users would still be able to use Telnet.
Once you have created an access list that you wish to apply to your router, enter configuration mode for a specific interface and enter the command
{protocol} access-group {list # or name} in/out
To remove an access list from an interface (always a good thing to do if you are testing a new filter), simply precede the command with the word no as follows:
no {protocol} access-group {list # or name} in/out Likewise, to delete an entire access list, enter the command
no access-list {list # or name}
Keep in mind that this will delete all filter conditions associated with a particular access list number or name. One of the biggest drawbacks of access lists is that you cannot edit entries. This can make data entry a bit tedious. For example, if you have created 15 access list entries and realize that you actually want entry 11 processed after entry 13, you must delete the entire list and recreate it from scratch.
Create your access lists offline in a text editor. Once you have the filters in the correct order, simply copy the rules to the Windows Clipboard and use the Paste ability of your terminal emulator. This also allows you to keep a local backup of all your filter conditions.
All access filters have an implicit deny at the end of them. This means that if you do not tell the router to specifically allow a certain type of traffic to pass, it will assume that it should be blocked. For example, if your access list states, “Traffic from the subnet 192.168.1.0 is OK to let through,” the router will assume that it should block traffic from all subnets except 192.168.1.0. This feature helps to insure that you do not let anything through that you did not mean to.
Standard Access Lists
Standard access lists allow you to filter on source IP address. This is useful when you wish to block all traffic from a specific subnet or host. A standard access list does not look at the destination IP address or even the service; it makes its filtering determination based solely on the source address of the transmitting system.
While this sounds a bit limiting, it can actually be quite useful. Examine Figure 6.3. Here we have a very simple network design. There is only one way in and out of the network, which is through the router. The internal network segment uses an IP subnet address of 206.121.73.0.
FIGURE 6.3 Using standard access lists
In this environment, the router should never see any traffic originating from the Internet that appears to have originated from the IP subnet 206.121.73.0. This is because that segment is directly connected to the Ethernet port of the router. While the router will see traffic originating from this subnet on its Ethernet port, it should never be detected off of the serial (WAN) port.
IP spoofing is a process in which an attacker pretends to be a system on your local network
transmitting information, even though he is off at some remote location. This can be used to exploit certain system vulnerabilities. For example, Microsoft Windows is vulnerable to a type of attack known as Land. A Land attack packet has the following attributes:
Source IP: The IP address of the system under attack Destination IP: The IP address of the system under attack Transport: TCP
Source port: 135 Destination port: 135 Flag setting: SYN=1
There are other ports and settings that can be used, but this should give you the general idea. The attack fools the system into thinking it is talking to itself. This will produce a race condition, which will cause the system to eventually hang or lock up.
You may be thinking, “No problem, I plan to block all inbound connection requests, so this packet would never get through because the SYN flag is set high.” Not true, Grasshopper: look at the source address. When the router evaluates this packet, it may very well think that the packet was received from the internal network.
While Cisco routers do not have this problem (they maintain the association of the packet with the interface it was received on), many routers do. If your access rules state, “Port 135 from the internal network is OK to let through,” the router will approve the packet of data, pass the information along to the routing process, which would then pass the traffic along to the Ethernet segment.
So how do you solve this problem? Since you will never see legitimate traffic originating from the Internet which uses your internal subnet address, there will be no loss in connectivity if you filter out such traffic. This is called a spoofing filter, because you are insuring that no traffic is allowed to pass which is trying to spoof your internal address.
It is also a good idea to place an inbound filter on your Ethernet port which states, “Only accept traffic from the 206.121.73.0 subnet.” This helps to insure that none of your internal users attempts a spoofing attack on some other network. As administrator, it is your job to not only protect your own environment, but also to make sure you do not inadvertently make someone else’s life miserable. You can create spoofing filters using standard access lists. The syntax for a standard access list entry is
access-list {list # or name} permit/deny {source} {mask}
So you could create the following access list entries in global configuration mode on the router in Figure 6.3:
access-list 1 deny 206.121.73.0 0.0.0.255 access-list 2 permit 206.121.73.0 0.0.0.255
Access list 1 would be applied by entering configuration mode for the WAN interface and entering the command
ip access-group 1 in
Likewise, access list 2 would be applied by entering configuration mode for the Ethernet interface and entering the command
ip access-group 2 in
You may notice that the mask value looks a little strange. This is because this value is a pattern match, not a subnet mask. A pattern match uses the following criteria when evaluating a test condition:
• 0 The corresponding byte in the defined address must match the test condition exactly. • 1 This is a wildcard character: any value in this byte is considered a match.
So in this example our pattern match says, “Any IP address which contains the byte values
206.121.73.” As long as the first three bytes match the source IP address, the access list test condition considers it a match.
0.0.0.0 255.255.255.255
This tells the Cisco router that all traffic is to be considered a match. When you write your access rules, this address and mask can simply be replaced by the word “any.” This is not very useful for standard access lists (if you do not want to accept any traffic, it’s easier to just pull the plug), but it will come in handy when we get into extended access lists in the next section.
Previous Table of Contents Next
Previous Table of Contents Next
Access List Pattern Matching
If you think of the pattern match value as “an anti-subnet mask” you’ll be in pretty good shape. The pattern match will always be the exact opposite of what you would use for a subnet mask. This is pretty easy to follow if you are filtering full subnet classes, but it can get a bit confusing if you are working with true subnetting.
For example, let’s say that instead of a full class C network, you are only using a portion of this class C address space. Let’s assume that the network address is 206.121.73.64 and the subnet mask is 255.255.255.224. In this case, what would you use for a pattern match to insure that you are only filtering on your network space?
All TCP/IP address space is actually created using a binary number system. We use decimals simply because these are easier for human consumption. In order to determine the pattern match you will use, you first have to convert the last byte of the subnet mask to binary:
224 = 128 + 64 + 32 = 11100000
In the last byte you are using three bits for networking and five bits to identify each unique host. In order to ignore any host on your network, you would use a pattern match that has all the host bits set high, like this:
00011111 = 16 + 8 + 4 + 2 + 1 = 31
So in order to accommodate your new network address and subnet mask, you would need to change you access to the following:
access-list 1 deny 206.121.73.64 0.0.0.31 access-list 2 permit 206.121.73.64 0.0.0.31
In effect, you have told your access list, “Filter the packet when you see an address space value 206.121.73.64 – 206.121.73.95 (64 + 31).” This will let you screen for your small chunk of this class C address space—without having to filter or allow more than you need to.
Besides spoofing rules, why else might you use standard access lists? Standard access lists are extremely effective at blocking access from any undesirable remote site. This could be known attackers, mail spammers, or even competitors.
you are connected to the Internet you must accept traffic from all sources. While accepting all traffic is considered the polite thing to do, it may not always make the most business sense.
For example, there are mailing lists and organizations that have dedicated resources to identifying spam sites. Spam, or unsolicited advertising e-mail, can be a waste of organizational resources at best, or it can cause a denial of service at worst. Many administrators now filter traffic from sites known to support (or at the very least fail to prevent) spammers and their activities. All traffic is filtered, because a site that does not control outbound spam mail typically makes no effort to prevent other types of attacks launched against your network.
Cisco interface can only accept one access list per port, per direction. This means that you should only apply a standard access list when you won’t need an extended access list. If you require the increased flexibility of an extended access list, simply incorporate your filters into a single list.
Extended Access Lists
Extended access lists take the concept of standard access lists one step further. Instead of simply filtering on source IP address, extended access lists can also filter on
• Destination IP address
• Transport (IP, TCP, UDP, ICMP, GRE, IGRP) • Destination port number
• Packet type or code in the case of ICMP
• Established connects (verifies that either the ACK or RST bits have been set) Clearly, this can give you a much more granular level of control over your perimeter traffic. Extended access lists are created in global configuration mode using the following syntax: access-list {list # or name} permit/deny {protocol} {source} {mask} {destination} {mask} {operator} {port} est (short for establish if applicable)
Valid operators are • lt Less than • gt Greater than • eq Equal to • neq Not equal to
As an example, let’s say you wish to create a set of extended access rules allowing open access to HTTP on the host 206.121.73.10 and allowing Telnet access, as well—but only from hosts on the subnet 199.52.24.0. These rules would look similar to the following:
access-list 101 permit any 206.121.73.10 0.0.0.0 eq 80
access-list 101 permit 199.52.24.0 0.0.0.255 206.121.73.10 0.0.0.0 eq 23
You would then install these rules on the serial port by entering configuration mode for that interface and entering the command
ip access-group 101 in