Courses  Forum Support Welcome, Landry!

 Search … 

You are here: Home » Cisco » CCNA 200-301

Extended Access-List example on Cisco Router 

In a previous lesson I covered the standard access-list, now it’s time to take a look at the extended access- Course Contents
list. This is the topology we’ll use:
CCNA 200-301

  Unit 1: Introduction

 Unit 2: Network Fundamentals

 Unit 3: Network Access

 Unit 4: IP Connectivity

 Unit 5: IP Services

 Unit 6: IPv6
Using the extended access-list we can create far more complex statements. Let’s say we have the following
 Unit 7: Security Fundamentals
requirement:
 7.1 Access-Lists

Tra c from network 1.1.1.0 /24 is allowed to connect to the HTTP server on R2, but they are only Introduction to Access-Lists

allowed to connect to IP address 2.2.2.2. Wildcard Bits

All other tra c has to be denied. Standard Access-List

Extended Access-List

Now we need to translate this to an extended access-list statement. Basically they look like this: Time-based Access-List

 7.2 Misc

 Unit 8: Network Management

[source] + [ source port] to [destination] + [destination port]
 Unit 9: Network Design

Unit 10: Automation and


Let’s walk through the con guration together: Programmability

 Unit 11: Cloud Computing

R2(config)#access-list 100 ?  Unit 12: Practice Exam

deny Specify packets to reject

dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment

First of all we need to select a permit or deny. By the way you can also use a remark. You can use this to
add a comment to your access-list statements. I’ll select the permit…

R2(config)#access-list 100 permit ?

<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol

Now we have a lot more options. Since I want something that permits HTTP tra c we’ll have to select TCP.
Let’s continue:

R2(config)#access-list 100 permit tcp ?

A.B.C.D Source address
any Any source host
host A single source host

Now we have to select a source. I can either type in a network address with a wildcard or I can use the any
or host keyword. These two keywords are “shortcuts”, let me explain:

If you type “0.0.0.0 255.255.255.255” you have all networks. Instead of typing this we can use the any
keyword.
If you type something like “2.2.2.2 0.0.0.0” we are matching a single IP address. Instead of typing the
“0.0.0.0” wildcard we can use the keyword host.

I want to select network 1.1.1.0 /24 as the source so this is what we will do:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ?

A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers

Besides selecting the source we can also select the source port number. Keep in mind that when I
connect from R1 to R2’s HTTP server that my source port number will be random so I’m not going to
specify a source port number here.

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 ?

ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>

We will select the destination which is IP address 2.2.2.2. I could have typed “2.2.2.2 0.0.0.0” but it’s easier
to use the host keyword. Besides the destination IP address we can select a destination port number with
the eq keyword:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80

This will be the end result. Before we apply it to the interface I will add one useful extra statement:

R2(config)#access-list 100 deny ip any any log

Using the statement above I can make that invisible “deny any” visible. The log keyword will output all
denied packets to the console.

Now let’s apply it and give it a test run!

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip access-group 100 in

We’ll apply it to the interface inbound. Don’t forget to enable the HTTP server:

R2(config)#ip http server

Now let’s generate some tra c:

R1#telnet 2.2.2.2 80
Trying 2.2.2.2, 80 ...
% Destination unreachable; gateway or host down

I don’t need a web browser to test if the HTTP server is running. I can use telnet to connect to TCP port 80.
The tra c above is denied as you will see on the console of R2:

R2# %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.12.1(55419) -> 2.2.2.2(80), 1

packet

Or we can take a look at the matches on the access-list:

R2#show access-lists
Extended IP access list 100
10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www
20 deny ip any any log (1 match)

The packet was denied because the source IP address was 192.168.12.1. Let’s connect from IP address
1.1.1.1:

R1#telnet 2.2.2.2 80 /source-interface loopback 0

Trying 2.2.2.2, 80 ... Open

There we go! It now says open which means that it connected. When we use telnet we can select the
source interface. The packet is now allowed because it matches the rst statement of the access-list.

If I want to remove a single statement from my access-list I have two options:

Copy your access-list to notepad, edit it and paste it back to your router and use a new access-list..
Use the access-list editor.

The access-list editor sounds easier right? This is how it works:

R2(config)#ip access-list extended 100

Use the ip access-list command to create new access-list or modify current ones. Your console will look
like this:

R2(config-ext-nacl)#

Now we can add or remove statements:

R2(config-ext-nacl)#?
Ext Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment

Let’s remove statement 20 from access-list 100:

R2(config-ext-nacl)#do show access-list 100

Extended IP access list 100
10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)
20 deny ip any any log (1 match)

This is what it looks like now…

R2(config-ext-nacl)#no 20

Type no in front of the sequence number and it will be gone:

R2(config-ext-nacl)#do show access-list 100

Extended IP access list 100
10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)

Voila it’s now gone.

Last but not least we can also create a named access-list. Let’s create something that denies ICMP tra c
from R2 to R1’s loopback0 interface but allows everything else:

R1(config)#ip access-list extended DROPICMP

R1(config-ext-nacl)#deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255
R1(config-ext-nacl)#deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit

This is what the access-list will look like. I’ll call it “DROPICMP”. The rst statement will drop ICMP tra c
from IP address 192.168.12.2 and the second line is for IP address 2.2.2.2. All other tra c is permitted.
Let’s apply it to the interface:

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip access-group DROPICMP in

Now let’s test it:

R2#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#show access-lists
Extended IP access list DROPICMP
10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)
20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
30 permit ip any any

The rst ping is failing as it should…

R2#ping 1.1.1.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)

R1#show access-lists
Extended IP access list DROPICMP
10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)
20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (15 matches)
30 permit ip any any

And the second ping fails too…

Let’s do something crazy to get a match on the last statement:

R2#telnet 1.1.1.1
Trying 1.1.1.1 ...

R1#show access-lists
Extended IP access list DROPICMP
10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (27 matches)
20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (18 matches)
30 permit ip any any (12 matches)

I didn’t con gure telnet on R1 but my packets will hit the last statement anyway. That’s all I wanted to show
you about extended access-lists. It will take some time to get used to reading and creating these access-
lists. Just make sure you practice a lot and it will become easy.

Con gurations R1 R2

Want to take a look for yourself? Here you will nd the nal con guration of each device.

I hope you enjoyed this lesson, if so, please leave a comment!

« Previous Lesson
Standard Access-List
Next Lesson
Time-based Access-List »
 Tags: ACL, Security

Forum Replies

talk2seeni

Hi Rene,
Very Good document on access-list , easy to understand . There are lot of options like
established, precedence etc. Any of your post explain about these options in detail.?

Thanks,
Srini

ReneMolenaar

Hi Srini,

Let’s take a look at the di erent IP options:

R1(config-ext-nacl)#permit ip any any ?

dscp Match packets with given dscp value
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
precedence Match packets with given precedence value
reflect Create reflexive access list entry
time-range Specify a time-range
tos Match packets with given TOS value
ttl Ma

... Continue reading in our forum

andrew

The safest approach is to set QoS in both directions. At my company, we are concerned with prioritizing VOIP, print jobs, and SSH. VOIP is a bit easier since the VOIP server and phones
automatically mark their tra c as DSCP EF, so we just trust those markings, but with the others, we do, in fact, mark them similar to the example I provided earlier where the classi er
for return trip looks to the source port, not the destination.

If you knew that your remote sites, for example, had more of a problem with downloads saturating the bandwidth than uploads, you

... Continue reading in our forum

azmuddincisco

Hello Rene/Laz,
I apologize because my question may not be completely relevant to the topic. However, I would really like to get some help if possible.

Would you please provide me a template for Border inbound ACL at the internet WAN router on the WAN interface? So far this is what I have found. Please let me know if I am missing
anything.

ip access-list extended INBOUND

permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
deny icmp any any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16..0.0 0.15.255.255 any
deny ip 192.168

... Continue reading in our forum

lagapides

Hello AZM

It’s a good start and you cover most of the issues that can a ect the edge. You will also need to examine your network and see what additional tra c you can deny, that is, tra c that
you know is invalid for your network. For example, if you will never have an FTP session initiated from the Internet to an internal host, you can block that particular port as well.

Take a look at this Cisco documentation that describes best practices for ACLs at the edge, as they are the rst line of defense of your network:

https://www.cisco.com/c/en/us/support/

... Continue reading in our forum

 47 more replies! Ask a question or join the discussion by visiting our Community Forum

© 2013 - 2021 NetworkLessons.com 38423 Disclaimer Privacy Policy Support About