Standard , Extended and Named ACL

In this lesson, you will learn:◦ Purpose of ACLs Its application to an enterprise network

◦ How ACLs are used to control access◦ Types of Cisco ACLs. Standard ACL Extended ACL Named ACL

An ACL is a router configuration script that controls whether a router permits or denies packets

By default, a router does not have any ACLs configured and therefore does not filter traffic.

These are examples of IP ACLs that can be configured in Cisco IOS Software:◦Standard ACLs◦Extended ACLs◦IP-named ACLs◦ And Others

Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.

Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.

Configure ACLs on border routers, the routers situated at the edges of your networks to act as a buffer from the outside network

ACL statements operate in sequential order.

If a packet header and an ACL statement match, the rest of the statements in the list are skipped

If a packet header does not match an statement, the packet is tested against the next statement in the list.

A final implied (IMPLICIT DENY) statement covers all packets for which conditions did not test true.

# access-list 99 deny 192.168.10.0 0.0.0.255# access-list 99 permit any

Extended ACLs◦ Extended ACLs filter IP packets

based on several attributes, protocol type, source and IP address, destination

IP address, source TCP or UDP ports,

destination TCP or UDP ports◦ In the figure, ACL 102 deny FTP

and Telnet traffic originating from any address on the 192.168.10.0/24 from leaving the network

Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq telnetAccess-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq ftpAccess-list 102 permit anyApply access list ‘inbound’ to Fa 0/1 interface of R1

Deny all traffic from private IP address Allow all IP sessions already established

with the ack bit turned. deny anyone from entering your network

from the outside with an internal address (spoofing your network) and log each packet occurrence.

deny the infamous Donald Dick and Prosiak ports.

deny the Deepthroat and Sockets des Troie ports.

deny any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery.

permits packets that were not previously rejected to enter your network.

1. access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

2. access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

3. access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

4. access-list 100 deny ip any host 127.0.0.1 log

5. access-list 100 permit ip any [your network IP address] [your network mask] est

6. access-list 100 deny ip [your network IP address] [your network mask] any log

7. access-list 100 deny tcp any any eq 22222 log

8. access-list 100 deny tcp any any range 60000 60020 log

9. access-list 100 deny udp any any eq snmp log

10. access-list 100 permit ip any any 

Entry 5—“permit ip any [your network IP address] [your network mask] est”—automatically allows all IP sessions already established with the ack bit turned. The purpose of this entry is to ensure that if your firewall allows a connection request to leave your network, the router doesn’t stop its return.

Entry 6—“deny ip [your network IP address] [your network mask] any log”—denies anyone from entering your network from the outside with an internal address (spoofing your network) and logs each packet occurrence. This is very important for good security.

Entry 7—“deny tcp any any eq 22222 log”—denies the infamous Donald Dick and Prosiak ports.

Entry 8—“deny tcp any any range 60000 60020 log”—denies the Deepthroat and Sockets des Troie ports.

Entry 9—“deny udp any any eq snmp log”—denies any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery.

Entry 10—“permit ip any any”—permits packets that were not previously rejected to enter your network.