ACCESS LISTS

Access lists are essentially lists of conditions that control access. Theyre powerful tools that control access both to and from network segments. They can filter unwanted packets and be used to implement security policies. With the right combination of access lists, network managers will be armed with the power to enforce nearly any access policy they can invent.

What They're All About

The access list is a group of statements. Each statement defines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated access list, the list is scanned from top to bottom--in the exact order that it was entered--for a pattern that matches the incoming packet. A permit or deny rule associated with the pattern determines that packet's fate. You also can use a mask, which is like a wild card, to determine how much of an IP source or destination address to apply to the pattern match. The pattern statement also can include a TCP, UDP, Telnet, ftp, or other port numbers .

How they Works

There are a few important rules a packet must follow when its being compared with an access list: Its always compared with each line of the access list in sequential order, i.e., itll always start with line 1, then go to line 2, then line 3, and so on. Its compared with lines of the access list only until a match is made. Once the packet matches a line of the access list, its acted upon, and no further comparisons take place. There is an implicit deny at the end of each access list this means that if a packet doesnt match up to any lines in the access list, itll be discarded. Each of these rules has some powerful implications when filtering IP and IPX packets with access lists.

Types of access lists

Standard access lists These use only the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols. IPX standards can filter on both source and destination IPX address. Extended access lists These check for both source and destination IP address, protocol field in the Network layer header, and port number at the Transport layer header. IPX extended access lists use source and destination IPX addresses, Network layer protocol fields, and socket numbers in the Transport layer header.

Implementation
Once you create an access list, you apply it to an interface with either an inbound or outbound list. Inbound access lists Packets are processed through the access list before being routed to the outbound interface. Outbound access lists Packets are routed to the outbound interface and then processed through the access list

list guidelines that should be followed when creating and implementing access lists
You can only assign one access list per interface, per protocol, or per direction. This means that if you are creating IP access lists, you can only have one inbound access list and one outbound access list per interface. Organize your access lists so that the more specific tests are at the top of the access list. Anytime a new list is added to the access list, it will be placed at the bottom of the list. You cannot remove one line from an access list. If you try to do this, you will remove the entire list. It is best to copy the access list to a text editor before trying to edit the list. The only exception is when using named access lists. Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the lists tests. Every list should have at least one permit statement, or you might as well shut the interface down. Create access lists and then apply them to an interface. Any access list applied to an interface without an access list present will not filter traffic. Access lists are designed to filter traffic going through the router. They will not filter traffic originated from the router. Place IP standard access lists as close to the destination as possible. Place IP extended access lists as close to the source as possible.

Standard IP Access Lists

Standard IP Access Lists Standard IP access lists filter the network by using the source IP address in an IP packet. You create a standard IP access list by using the access list numbers 199. Here is an example of the access list numbers that you can use to filter your network. The different protocols that you can use with access lists depend on your IOS version. RouterA(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <200-299> Protocol type-code access list <300-399> DECnet access list <400-499> XNS standard access list <500-599> XNS extended access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list By using the access list numbers between 199, you tell the router that you want to create a standard IP access list. RouterA(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward After you choose the access list number, you need to decide if you are creating a permit or deny list. For this example, you will create a deny statement: RouterA(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address The next step requires a more detailed explanation. There are three options available. You can use the any command to permit or deny any host or network, you can use an IP address to specify or match a specific network or IP host, or you can use the host command to specify a specific host only. Here is an example of using the host command: RouterA(config)#access-list 10 deny host 172.16.30.2 This tells the list to deny any packets from host 172.16.30.2. The default command is host. In other words, if you type access-list 10 deny 172.16.30.2, the router assumes you mean host 172.16.30.2. However, there is another way to specify a specific host: you can use wildcards. In fact, to specify a network or a subnet, you have no option but to use wildcards in the access list.

Extended IP Access Lists

Extended IP Access Lists In the standard IP access list example, notice how you had to block the whole subnet from getting to the finance department. What if you wanted them to gain access to only a certain server on the Finance LAN, but not to other network services, for obvious security reasons? With a standard IP access list, you cant allow users to get to one network service and not another. However, extended IP access lists allow you to do this. Extended IP access lists allow you to choose your IP source and Destination address as well as the protocol and port number, which identify the upper-layer protocol or application. By using extended IP access lists, you can effectively allow users access to a physical LAN and stop them from using certain services. Here is an example of an extended IP access list. The first command shows the access list numbers available. Youll use the extended access list range from 100 to 199. At this point, you need to decide what type of list entry you are making. For this example, youll choose a deny list entry. RouterA(config)#access-list 110 ? deny Specify packet dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward Once you choose the access list type, you must choose a Network layer protocol field entry. It is important to understand that if you want to filter the network by Application layer, you must choose an entry here that allows you to go up through the OSI model. For example, to filter by Telnet or FTP, you must choose TCP here. If you were to choose IP, you would never leave the Network layer, and you would not be allowed to filter by upper-layer applications. RouterA(config)#access-list 110 deny ? <0-255> An IP protocol number eigrp Cisco's EIGRP routing protocol gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol Once you choose to go up to the Application layer through TCP, you will be prompted for the source IP address of the host or network. You can choose the any command to allow any source address. RouterA(config)#access-list 110 deny tcp ? A.B.C.D Source address any Any source host host A single source host After the source address is selected, the destination address is chosen.

RouterA(config)#access-list 110 deny tcp any ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers In the example below, any source IP address that has a destination IP address of 172.16.30.2 has been denied. RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 ? eq Match only packets on a given port number established Match established connections fragments Check fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers tos Match packets with given TOS value Now, you can press Enter here and leave the access list as is. However, you can be even more specific: once you have the host addresses in place, you can specify the type of service you are denying. The following help screen gives you the options. You can choose a port number oruse the application or even the program name. RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd,514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh,512) finger Finger (79) ftp File Transfer Protocol (21) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin,513) lpd Printer service (515) nntp Network News Transport Protocol (119) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web HTTP,80)

Mring IP Access Lists

It is important to be able to verify the configuration on a router. The following commands can be used to verify the configuration: show access-list Displays all access lists and their parameters configured on the router. This command does not show you which interface the list is set on. show access-list 110 Shows only the parameters for the access list 110. This command does not show you the interface the list is set on. show ip access-list Shows only the IP access lists configured on the router. show ip interface Shows which interfaces have access lists set. show running-config Shows the access lists and which interfaces have access lists set.