ACLs on Cisco

Posted on by alex

Cisco has different types of ACLs, below are most used types :

1. Standard ACL
The oldest and simplest type is standard ACL
– numbers are 1-99, 1300-1999
– wildcard masks are used
– filters only based on SRC IP address/network
– ACL can work with IP addresses only, no L4-L7 features
example : we need to block ranges 192.168.5.0/27 and 192.168.8.0/21 from accessing our server on 192.168.0.3. Other traffic should be allowed.

Router(config)# access-list 1 deny 192.168.5.0 0.0.0.31
Router(config)# access-list 1 deny 192.168.8.0 0.0.7.255
Router(config)# access-list 1 permit any any

Router(config)# interface FastEthernet0/0
Router(config-if)# ip access-group 1 in

2. Extended ACL
– numbers 100-199, 2000-2699.
– wildcard masks are used
– ACL can perform different actions on different protocols
example : we need to block range 192.168.5.0/27 and 192.168.8.0/21 from accessing WWW, HTTPS and Telnet services on our servers located on 192.168.0.0/24 network. Other traffic should be allowed.

Router(config)# access-list 101 deny 192.168.5.0 0.0.0.31 192.168.0.0 0.0.0.255 eq 80
Router(config)# access-list 101 deny 192.168.5.0 0.0.0.31 192.168.0.0 0.0.0.255 eq 443
Router(config)# access-list 101 deny 192.168.5.0 0.0.0.31 192.168.0.0 0.0.0.255 eq 23
Router(config)# access-list 101 deny 192.168.8.0 0.0.7.255 192.168.0.0 0.0.0.255 eq 80
Router(config)# access-list 101 deny 192.168.8.0 0.0.7.255 192.168.0.0 0.0.0.255 eq 443
Router(config)# access-list 101 deny 192.168.8.0 0.0.7.255 192.168.0.0 0.0.0.255 eq 23
Router(config)# access-list 101 permit ip any any

Router(config)# interface FastEthernet0/0
Router(config-if)# ip access-group 101 in

Verification of ACL :
show ip access-lists 1
show ip access-lists 101

* By default all types of ACLs have deny any any on the end
* We can apply ACLs on interfaces, but also there is a way how to control access to/from VTY.

Control inbound VTY access
example : Our router IP is 192.168.1.1 and we don’t want users from 192.168.5.0/27 access Telnet on our router, SSH is available for them. IP range 192.168.0.0/24 can access all services on router. Other networks from side of Server cannot access our router.

Router(config)# access-list 122 deny tcp 192.168.5.0 0.0.0.31 any eq 23
Router(config)# access-list 122 permit tcp 192.168.5.0 0.0.0.31 any eq 22
Router(config)# access-list 122 permit ip 192.168.0.0 0.0.0.255 any
Router(config)# access-list 122 deny any

When rules are ready we are putting access list to VTY lines :
Router(config)# line vty 0 4
Router(config-line)# access-class 122 in – “IN” means from ACL’s IPs to our VTYs
Router(config-line)# login local – use local DB of usernames/passwords
Router(config-line)# transport input telnet ssh – telnet and ssh are available for login

Control outbound VTY access
Let’s say that from console of router we prohibit Telnet/SSH access to LAN network 192.168.5.0/27 and Servers network 192.168.0.0/24.
Router(config)# access-list 22 deny 192.168.5.0 0.0.0.31
Router(config)# access-list 22 deny 192.168.0.0 0.0.0.255
Router(config)# access-list 22 permit any

Router(config)# line console 0
Router(config-line)# access-class 22 out – “OUT” means from console to IPs from ACL

3. Named ACL
Similar to extended but Name is used for indentification. I’m using these ACLs mainly. Syntax is «ip access-list extended NAME»
example : we need to block range 192.168.5.0/27 from accessing WWW on our server on 192.168.0.3. Other traffic should be allowed.

Router(config)# ip access-list extended BLOCK
Router(config-ext-nacl)# deny 192.168.5.0 0.0.0.31 host 192.168.0.3 eq 80
Router(config-ext-nacl)# permit ip any any

Router(config)# interface FastEthernet0/0
Router(config-if)# ip access-group BLOCK in

4. Reflexive ACL
If we want to build a Stateful inspection on ACLs (we don’t want to use Zone-based firewall), we can do it with Reflexive ACL or CBAC ACL. Difference is that Reflexive looks up to L4 and CBAC can inspect traffic on L7. Zone-based firewall is working as CBAC, but is more complex and is suited for large configurations. Example of Reflexive ACL:

We allow outgoing traffic from LAN to server on WWW, HTTPS and SSH. All other traffic is denied by default deny any any statement
Router(config)# ip access-list extended OUT_ACL
Router(config-ext-nacl)# permit tcp any host 192.168.0.3 eq 80 reflect STATEFUL
Router(config-ext-nacl)# permit tcp any host 192.168.0.3 eq 443 reflect STATEFUL
Router(config-ext-nacl)# permit tcp any host 192.168.0.3 eq 22 reflect STATEFUL

All incoming traffic to from Server to LAN is denied, only return traffic is allowed
Router(config)# ip access-list extended IN_ACL
Router(config-ext-nacl)# evaluate STATEFUL
Router(config-ext-nacl)# deny ip any any log

We apply both access lists in direction to Server :
Router(config)# interface fastEthernet 0/1
Router(config-if)# ip access-group IN_ACL in
Router(config-if)# ip access-group OUT_ACL out

5. CBAC ACL
It’s a context-based access control list, which can inspect traffic up to L7.
In first step we deny all incoming traffic from INTERNET to LAN :
Router(config-if)# ip access-list extended CBAC_IN
Router(config-ext-nacl)#deny ip any any log
Router(config)# interface fastEthernet 0/1
Router(config-if)# ip access-group CBAC_IN

Then we define allowed outgoing connections from LAN
Router(config)# ip inspect name STATEFUL_CBAC telnet
Router(config)# ip inspect name STATEFUL_CBAC http
Router(config)# ip inspect name STATEFUL_CBAC ssh

And apply it on the same INTERNET interface fastEthernet 0/1 but in OUT direction
Router(config)# interface fastEthernet 0/1
Router(config-if)# ip inspect STATEFUL_CBAC

Verify settings and connections:
show ip inspect name STATEFUL_CABC
show ip inspect sessions

* To allow traffic generated by router itself use similar command to :
ip inspect name STATEFULL tcp router-traffic

6. Dynamic ACL
Example of usage is when user first sign in to the router and then entry on ACL is created for him and access to the network is granted.
Router(config)# username LOGIN password 0 TEST – First step, create login for customers, AAA Radius can be used also
Router(config)# username LOGIN autocommand access-enable – For user LOGIN enable creation of dynamic entries inside ACLs

Router(config)# ip access-list extended DYN_ACL
Router(config)# dynamic AUTH_SSH permit tcp any host 192.168.0.3 eq 22 – If user is authenticated, create a rule permitting SSH access to the Server
Router(config)# deny tcp any host 192.168.0.3 eq 22 – By default SSH access to server is prohibited
Router(config)# permit ip any any

Router(config)#interface FastEthernet0/0
Router(config-if)# ip access-group DYN_ACL in

7. Time-Based ACL
We can deny access to some services during certain period of time (for example weekend 9:00-21:00)
Router(config)# ip access-list extended WEEKEND
Router(config-ext-nacl)# deny 192.168.5.0 0.0.0.31 host 192.168.0.3 time-range Weekend eq 80
Router(config-ext-nacl)# permit ip any any

Router(config)# time-range Weekend
Router(config-time-range)# periodic weekend 9:00 to 21:00

8. L2 access, Port based ACL – using of MAC ACL
On Cisco switches it’s simple :
Switch(config)# mac access-list extended MAC_ACL
Switch(config-ext-macl)# permit c202.2725.0000 any

Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# mac access-group MAC_ACL in

But on router it’s quite complicated :
We create a router MAC ACL – it’s access-list with value 700-799 :
Router(config)# access-list 701 permit c202.2725.0001 0000.0000.0000

We need to create a bridge
Router(config)# bridge irb
Router(config)# bridge 1 protocol ieee
Router(config)# bridge 1 route ip

And then we add port to the bridge and assign ACL
Router(config)# interface FastEthernet0/0
Router(config-if)# no ip address
Router(config-if)# bridge-group 1 input-address-list 701

Last step is to reassign IP address, now IP is on Bridge instead of physical interface
Router(config)# interface BVI 1
Router(config-if)# ip address 192.168.1.1 255.255.255.0

9. L2 access on switches – VACL (Vlan ACL) and Vlan Access maps
VLAN ACL (Vlan access maps) are used to filter L2 and L3 traffic on switches.
Logic of access maps is similar to route-maps, in our example we would like to block both IP address 192.168.5.5 and mac address c202.2725.0001 on VLAN 55.

Create a permit IP ACL to specify what to block further:
Switch(config)# access-list 100 permit ip 192.168.5.5 0.0.0.0 any

Then define MAC ACL with permit statement about c202.2725.0001
Switch(config)# mac access-list extended BLOCK
Switch(config-ext-macl)# permit any host c202.2725.0001

And create a Vlan access map where match both ACLs and deny them
Switch(config)# vlan access-map FILTERVLAN 10
Switch(config-access-map) match ip address 100
Switch(config-access-map) action drop
Switch(config)# vlan access-map FILTERVLAN 20
Switch(config-access-map) match mac-address BLOCK
Switch(config-access-map) action drop
Switch(config)# vlan access-map FILTERVLAN 30
Switch(config-access-map) action forward

By default action forward is the last statement inside vlan access-map, but I put it there to show that it’s used.

We need to apply prepared vlan access-map on selected VLAN 55
Switch(config)# vlan filter FILTERVLAN vlan-list 55