Extended IP Access Lists

Unlike standard IP access lists (which only allow you to filter packets based on their source IP address), extended IP access lists allow a much more granular level of control. Extended IP access lists allow filtering not only on source addresses, but also on destination addresses, protocols, and even applications, based on their port number. For example, you might choose to permit or deny a group of hosts from accessing a particular server, limit access to a telnet server to only a single host, or similar. Recall that extended IP access lists are identified through their use of the 100-199 numerical range.

The syntax of an extended IP access list is similar to that of a standard IP access list, though obviously a little longer, based on the additional filtering options available.

access-list access-list-number { deny | permit} ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] lt|gt|eq|neq dest-port log

Although the command looks quite complex, you won’t be required to remember every option. The syntax of the command is actually the same as the syntax of a standard IP access list up until the permit or deny statement. That statement is followed by the protocol type you wish to specify, and then the source and destination addresses. The end of the statement allows you to specify the port number(s) for which the rule applies.

For example, let’s say that we want to deny all hosts on network 192.168.20.0/24 from accessing ServerA via telnet, as shown in the figure below. The command to add this entry to access list 102 is shown below, using help to walk through the command step-by-step.

Figure: An inbound extended IP access list on RouterA interface E0 denies hosts on network 192.168.20.0/24 from accessing ServerA via telnet.

RouterA(config)#access-list 102 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol

The help function lists the different protocols on which packets can be filtered. Because telnet functions over TCP port 23, we’ll choose tcp as our protocol.

RouterA(config)#access-list 102 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host

The next step is specifying the source host address, followed by a wildcard mask. In this case, we want our list to apply to all hosts on network 192.168.20.0/24, so our wildcard mask is 0.0.0.255.

RouterA(config)#access-list 102 deny tcp 192.168.20.0 0.0.0.255 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
RouterA(config)#access-list 102 deny tcp 192.168.20.0 0.0.0.255 192.168.99.1 ?
A.B.C.D Destination wildcard bits

The next step is specifying our destination host address. I chose to enter the destination IP address followed by the wildcard mask of 0.0.0.0. Recall that the host keyword can also be used when specifying a single host.

RouterA(config)#$ 102 deny tcp 192.168.20.0 0.0.0.255 192.168.99.1 0.0.0.0 ?
ack Match on the ACK bit
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
tos Match packets with given TOS value
urg Match on the URG bit

Notice the $ sign that appears next to the prompt above. This is simply a placeholder that makes you aware that the command entered is too long to appear on a single line.

One additional caveat at this point – if we had pressed enter after entering the destination wildcard mask, our access list entry would be accepted. However, it would also deny all TCP traffic from network 192.168.20.0/24 to host 192.168.99.1. The last step in configuring our extended access list is specifying the TCP port number (or protocol name) that we wish to deny – in this case port 23. By using the eq (equal to) operator, we can specify that this access list entry applies to port 23 only. You can also specify certain protocols by name, as shown below.

RouterA(config)#$t tcp 192.168.20.0 0.0.0.255 192.168.99.1 0.0.0.0 eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
RouterA(config)#$tcp 192.168.20.0 0.0.0.255 192.168.99.1 0.0.0.0 eq 23

After issuing the completed command, our extended IP access list now includes a single entry, which denies hosts on network 192.168.20.0/24 from sending telnet traffic destined for host 192.168.99.1 through the router. Remember, however, that the access list doesn’t actually filter traffic until applied to an interface. Also recall that all access lists end with the implicit deny statement. As such, we should add an entry that allows all other traffic to be forwarded by the router, and apply the list to an interface. To allow all other traffic to pass, we will need to add another entry to access list 102.

RouterA(config)#access-list 102 permit ip any any

Notice the syntax of the command. It adds an entry to extended IP access list 102, telling it to permit all IP traffic from any source to any destination. This is a common statement, and will meet our needs. To view access list 102, use the show ip access-list 102 command.

RouterA#show ip access-list 102
Extended IP access list 102
deny tcp 192.168.20.0 0.0.0.255 host 192.168.99.1 eq telnet
permit ip any any

Even though we didn’t specify a protocol name in our original access list entry, the router still recognizes TCP port 23 as being a telnet port.

Our final step is applying this access list to an interface, and specifying whether it will be applied inbound or outbound. Extended IP access lists should always be applied close to the source network rather than the destination. This helps to ensure that unnecessary traffic does not need to traverse a large portion of the network prior to being blocked. In this case, we’ll apply access list 102 as an inbound access list on port Ethernet0, using the ip access-group command.

RouterA(config-if)#ip access-group 102 in

The show ip access-list command will show us all IP access lists defined on the router, including how many times each condition listed has been matched.

RouterA#sh ip access-list
Extended IP access list 102
deny tcp 192.168.20.0 0.0.0.255 host 192.168.99.1 eq telnet
permit ip any any (404 matches)
deny tcp 192.168.20.0 0.0.0.255 host 192.168.99.1

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.