Extended IP Access Lists

In the standard IP access list example, notice how you had to block the whole subnet from getting to the finance department. What if you wanted them to gain access to only a certain server on the Finance LAN, but not to other network services, for obvious security reasons? With a standard IP access list, you can’t allow users to get to one network service and not another. However, extended IP access lists allow you to do this. Extended IP access lists allow you to choose your IP source and destination address as well as the protocol and port number, which identify the upper-layer protocol or application.


By using extended IP access lists, you can effectively allow users access to a physical LAN and stop them from using certain services. Here is an example of an extended IP access list. The first command shows the access list numbers available. You’ll use the extended access list range from 100 to 199.

RouterA(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
<400-499> XNS standard access list
<500-599> XNS extended access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list

At this point, you need to decide what type of list entry you are making. For this example, you’ll choose a deny list entry.

RouterA(config)#access-list 110 ?
deny Specify packet
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward

Once you choose the access list type, you must choose a Network layer protocol field entry. It is important to understand that if you want to filter the network by Application layer, you must choose an entry here that allows you to go up through the OSI model. For example, to filter by Telnet or FTP, you must choose TCP here. If you were to choose IP, you would never leave the Network layer, and you would not be allowed to filter by upper-layer applications.

RouterA(config)#access-list 110 deny ?
<0-255> An IP protocol number
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Once you choose to go up to the Application layer through TCP, you will
be prompted for the source IP address of the host or network. You can
choose the any command to allow any source address.
RouterA(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
After the source address is selected, the destination address is chosen.
RouterA(config)#access-list 110 deny tcp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host

lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers In the example below, any source IP address that has a destination IP address of 172.16.30.2 has been denied.

RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 ?
eq Match only packets on a given port number
established Match established connections
fragments Check fragments
gt Match only packets with a greater port
number
log Log matches against this entry
log-input Log matches against this entry,including inputinterface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
tos Match packets with given TOS value

Now, you can press Enter here and leave the access list as is. However, you can be even more specific: once you have the host addresses in place, you can specify the type of service you are denying. The following help screen gives you the options. You can choose a port number or use the application or even the program name.

RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp File Transfer Protocol (21)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)

At this point, let’s block Telnet (port 23) to host 172.16.30.2 only. If the users want to FTP, that is allowed. The log command is used to send messages to the console every time the access list is hit. This would not be a good thing to do in a busy environment, but it is great when used in a class or in a home network.

RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

You need to keep in mind that the next line is an implicit deny any by default. If you apply this access list to an interface, you might as well just shut the interface down, since by default there is an implicit deny all at the end of every access list. You must follow up the access list with the following command:

RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255

Remember, the 0.0.0.0 255.255.255.255 is the same command as any.

Once the access list is created, you need to apply it to an interface. It is the same command as the IP standard list:

RouterA(config-if)#ip access-group 110 in or RouterA(config-if)#ip access-group 110 out

Extended IP Access List Example

Using Figure 9.1 from the IP standard access list example again, let’s use the same network and deny access to a server on the finance-department LAN for both Telnet and FTP services on server 172.16.10.5. All other services on the LAN are acceptable for the sales and marketing departments to access.

The following access list should be created:

Acme#config t
Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21
Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 23
Acme(config)#access-list 110 permit ip any any

It is important to understand why the denies were placed first in the list. This is because if you had configured the permits first and the denies second, the Finance LAN would have not been able to go to any other LAN or to the Internet because of the implicit deny at the end of the list. It would be difficult to configure the list any other way than the preceding example. After the lists are created, they need to be applied to the Ethernet 0 port. This is because the other three interfaces on the router need access to the LAN.

However, if this list were created to only block Sales, then we would have wanted to put this list closest to the source, or on Ethernet interface 2.

Acme(config-if)#ip access-group 110 out

Monitoring IP Access Lists
It is important to be able to verify the configuration on a router. The following commands can be used to verify the configuration:

show access-list Displays all access lists and their parameters configured on the router. This command does not show you which interface the list is set on.

show access-list 110 Shows only the parameters for the access list 110. This command does not show you the interface the list is set on.

show ip access-list Shows only the IP access lists configured on the router.

show ip interface Shows which interfaces have access lists set.

show running-config Shows the access lists and which interfaces have access lists set.