Saturday 6 August 2016

Configure Extended Access Control List Step by Step Guide

Configure Extended Access Control List Step by Step Guide


In this tutorial I will explain how to create Extended Access List, how to enable extended ACL in interface, how to edit extended ACL, how to delete extended ACL, how to update extended ACL and how to verify extended ACL implementation with show command in detail with examples.
This tutorial is the last part of our article “Cisco IP ACL Configuration Guide”. You can read other parts of this article here:-

Access Control List Explained with Examples

This tutorial is the first part of this article. In this part I provided a brief introduction to Cisco IP ACLs such as what is ACL and how it works including ACLs direction and locations.

Standard ACL Configuration Commands Explained

This tutorial is the second part of this article. In this part I explained Standard Access Control List configuration commands and its parameters in detail with examples.

Configure Standard Access Control List Step by Step Guide

This tutorial is the third part of this article. In this part I provided a step by step configuration guide for Standard Access Control List.

Extended ACL Configuration Commands Explained

This tutorial is the fourth part of this article. In this part I explained Extended Access Control List configuration commands and its parameters in detail with examples.
For demonstration purpose I will use packet tracer network simulator software. You can use it or can use any other network simulator software such as Boson, NetSim, GNS etc.
Create a topology as illustrate in following figure.
Extended ACL Example
For detail information about this topology please see the third part of this article. This is same network topology which I used to explain Standard ACL. For this article I assume that you have above network topology in your network simulator software with following essential configurations:-
  • IP address is assigned on all end devices.
  • IP addresses are configured on all used interfaces (in both routers).
  • RIPv2 (or any other routing protocol) is configured
In this network, at this moment all sections are connected with each other’s. Users are able to access all resources from other sections as well as their own. You are hired to secure this network.
If you are following this tutorial in packet tracer, you can download my practice topology with above essential configuration.
Download practice topology for Extended ACL configuration
This network has following security requirements.
  • Company has three servers. Assign one server for each section; Server0 for development section, Server1 for production section and Server2 for management section. Sections should be able to access only their own server. They are not allowed to access each other’s server.
  • Development section should be able to access production section. It should not be able to access management section.
  • Production section should be able to access development section. It should not be able to access management section.
  • Users from development are not allowed to ping their server (Server0). But they are allowed to access all services running on their server.
  • One user (PC0) from development section should not be able to access anything except its own section.
  • One user (PC2) is allowed to access only web server from server.
  • One user (PC3) from production section should also be able to access management section.
  • One user (laptop0) from management section should be able to access only Server section not the development section and production section. He is allowed to access only ftp and web service from server.

ACL Locations

For above requirements we need to secure three locations. For each location we need a separate ACL.
Extended ACL location and direction
As you know we can create an extended ACL in three ways:-
  1. Classic Numbered
  2. Modern Numbered
  3. Modern Named
To get a better overview of these methods we will use all of them in our example.
ACL Number / NameACL TypeACL DirectionApplied Interface
110Classic NumberedInboundR1’s Fa0/0
120Modern NumberedInboundR1’s Fa0/1
SecureManageModern NumberedInboundR2’s Fa0/0
Understanding ACL Location and requirements
Unlike standard ACL where we are limited with source address, in extended ACL we have a lot more options to match the packet. Due to these options we should always place an extended ACL near to the source address. This way an unwanted packet will be filtered as soon as it enters in the network. As I explained in third part of this article, we should always create ACL conditions in paper before router. This way we can edit/update/reorder/delete ACL conditions without messing a live network. Once satisfied we can migrate them in router easily.
ACL-110
This will be our first ACL. We will create this ACL in router R1 and enable it in interface Fa0/0. It will filter traffic in inward direction. This ACL will be used to fulfill following requirements:-
Development section should be able to access production section. It should not be able to access management section.
For this requirement we need two statements; one permit statement for production section and another deny statement for management section.
permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31
Our statement starts with action (permit or deny). When a match found, what action should router take? It is defined by this keyword. With permit keyword we tell router that if match found, let the packet go. With deny keyword we tell router that when a match found, discard the packet immediately.
After action we need to specify the level of filtering. Extended ACL allows us to filter a packet based on its address or application. In this requirement we are asked to filter all packets regardless what applications data they are carrying. For this requirement we have to use IP keyword. With IP keyword we are tells router that matches all IP packets no matter which IP applications is sending /receiving data.
Later we need to provide source address and destination address with wildcard mask. To match a network range, we need to use network ID. In this requirement we are filtering traffic that is originated form development section (Network ID 200.0.0.0) and going to production section (Network ID 200.0.0.128) and management section (Network ID 200.0.0.192).
Along with network ID we need to provide wildcard mask. Wildcard mask controls the range of addresses which will be matched. Wildcard mask are explained in detail with example in second part of this article.
Sections should be able to access only their own server. They are not allowed to access each other’s server.
We need two conditions for this requirement. First permit condition which allows development section to access its own server. Second deny condition which blocks it from accessing other servers from server section.
permit ip 200.0.0.0 0.0.0.127 host 200.0.0.226 deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15
Users from development are not allowed to ping their server (Server0). But they are allowed to access all services running on their server.
For this requirement we need to create a deny statement.
deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo
In this statement:-
  • deny keyword specifies the action.
  • icmp keyword tells router that we want to match a packet based on ICMP protocol.
  • 200.0.0.0 is the network ID of development section (Source).
  • 0.0.0.127 is the wildcard mask of source address.
  • host keyword tells router that we want to match a single host.
  • 200.0.0.226 is the IP address of server (Destination).
  • echo keyword is used to specify the type of message (ping) which we want match.
One user (PC0) from development section should not be able to access anything except its own section.
For this requirement we need following deny statement.
deny ip host 200.0.0.2 any
In this statement :-
  • deny is the action which say drop the packet that match with this criteria.
  • ip is the base line for filter which say match all IP traffics regardless which IP application it carry
  • host keyword is used to match a single host.
  • 200.0.0.2 is the source IP address.
  • any keyword is used to match all addresses. It says match all packets.
We can also use wildcard mask instead of host and any keywords. For host keyword wildcard mask 0.0.0.0 is used. For any keyword 0.0.0.0 address and 255.255.255.255 wildcard mask is used. With this approach above condition would be
deny ip 200.0.0.2 0.0.0.0 0.0.0.0 255.255.255.255
Both methods work exactly same. It’s only a matter of choice which method you prefer.
Okay let’s have a quick look on our requirements and statement once again
Development section (200.0.0.0 0.0.0.127) should be able to access production section (200.0.0.128 0.0.0.63). It (200.0.0.0 0.0.0.127) should not be able to access management section (200.0.0.192 0.0.0.31).
Development section (200.0.0.0 0.0.0.127) should be able to access only its own server (200.0.0.226). Development section (200.0.0.0 0.0.0.127) is not allowed to access any other sever from server section (200.0.0.224 0.0.0.15).
Users from development section (200.0.0.0 0.0.0.127) are not allowed to ping their server (200.0.0.226).
One user (200.0.0.2) from development section should not be able to access anything except its own section.
permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31
permit ip 200.0.0.0 0.0.0.127 host 200.0.0.226
deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15
deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo
deny ip host 200.0.0.2 any
Can we create statements in above order? Technically yes, router will accept statements in any order. It does not have a brain to understand our requirements. It will do what we will say it to do. So it’s our responsibility to give it order in correct sequence. As we know ACL statements are matched from top to down without skipping any condition. Once a match is found, next condition will never be checked for that packet.
If we create statements in above order, last two statements will never match any packet. Statement fifth says drop an icmp packet if it is originated from 200.0.0.0/25 network and going for 200.0.0.226 host. While statement three says allow all IP packets if they are originated from network 200.0.0/25 and going for host 200.0.0.226.
Just like this, statement six says deny a packet if it is coming from host 200.0.0.2 while statement one says allow packets if they are coming from 200.0.0.0/25 and going for 200.0.0.128/192.
Thus statement fifth is overruled by statement three, while statement six is override by statement one.
For more detail about how ACLs are processed please see the first part of this article which explains this process in detail with example.
Okay let’s arrange conditions in correct order
deny ip host 200.0.0.2 any
permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31
deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo
permit ip 200.0.0.0 0.0.0.127 host 200.0.0.226
deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15
I have explained how ACL are processed in detail with example in first part of this article.
ACL-120
ACL-20 will filter incoming traffic from production department in R1’s Fa0/1. Production department has following requirements:-
Sections should be able to access only their own server. They are not allowed to access each other’s server.
For this requirement we need two statements. First statement will allow production department to access its server Server1. Second statement will block production section from accessing other resources from server section.
permit ip 200.0.0.128 0.0.0.63 host 200.0.0.227
deny ip 200.0.0.128 0.0.0.63 200.0.0.224 0.0.0.15
Production section should be able to access development section. It should not be able to access management section.
This requirement needs two conditions. First condition allows production section to access development section. Second condition blocks production section to access management section.
permit ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.127
deny ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.31
One user (PC2) is allowed to access only web server from server.
For this requirement we need two statements. First statement allows host 200.0.0.130 to access web server from Server. Second condition blocks this host from accessing anything from Sever.
permit tcp host 200.0.0.130 host 200.0.0.227 eq 80
deny ip host 200.0.0.130 host 200.0.0.227
eq is the operator which stands for equal.
80 is the port number of web server. We can also use keyword www here instead of port number. Collectively eq 80 says “match a packet which is going for web server”. If you are asked to match secure web server, use port number 443. For more detail about port number and operator please check previous part of this article.
One user (PC3) from production section should also be able to access management section.
We need one permit condition for this requirement.
permit ip host 200.0.0.131 200.0.0.192 0.0.0.31
Okay let’s arrange above conditions in proper order.
permit ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.127
permit ip host 200.0.0.131 200.0.0.192 0.0.0.31
deny ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.31
permit tcp host 200.0.0.130 host 200.0.0.227 eq 80
deny ip host 200.0.0.130 host 200.0.0.227
permit ip 200.0.0.128 0.0.0.63 host 200.0.0.227
deny ip 200.0.0.128 0.0.0.63 200.0.0.224 0.0.0.15
ACL-SecureManagement
This ACL will filter incoming traffic from management section in router R2’s Fa0/0. Management section has following requirements
Sections should be able to access only their own server. They are not allowed to access each other’s server.
permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
One user (laptop0) from management section should be able to access only Server section not the development section and production section. He is allowed to access only tftp and telnet service from server.
For this requirement we need three statements. First statement allows user to access ftp service from server. Second statement allows user to access web service. Last statement blocks it from accessing server.
permit tcp host 200.0.0.194 host 200.0.0.228 eq 21
permit udp host 200.0.0.194 host 200.0.0.228 eq 80
deny ip host 200.0.0.194 host 200.0.0.228
We need to add one more permit statement in this ACL for following requirement
One user (PC3) from production section should also be able to access management section.
permit ip 200.0.0.192 0.0.0.31 host 200.0.0.131
We have already allowed this user in ACL-20 then why we need above permit statement for this user in this ACL. Any guesses…..
To understand this statement we need to have a quick look on how data flows:-
  • PC3 (200.0.0.131) generates a packet with destination Laptop1 (200.0.0.195).
  • PC3 sends this packet to router R1.
  • R1 receives this packet in interface FastEthernet 0/1.
  • Interface FastEthernet 0/1 has an inbound ACL (Numbered ACL -120) in FastEthernet 0/1.
  • ACL-120 will compare this packet and let it in as it has an allow statement for this situation.
  • R1 will forward this packet from its Serial 0/0/0.
  • R2 will receive this packet in its Serial 0/0/0.
  • R2 will forward this packet from Fa0/0.
  • This packet will be received by Laptop1 (200.0.0.195).
  • Laptop1 ( source 200.0.0.195) will respond to PC3 (destination 200.0.0.131).
  • R2 will receive return packet in FastEthernet 0/0.
  • This interface has an inbound ACL (Named ACL-SecureManagement).
  • This ACL has not statement for this packet.
  • Every ACL has a default implicit deny statement in its end. This statement uses any (source) any (destination) keyword in matching criteria which means it does not care from where packet is coming and where it is going. It will match every packet that is compared with it. If packet does not match with any condition in ACL then it will be matched with implicit deny statement.
  • Since there is no defined condition for our packet, it will matched with default implicit deny statement.
  • Our packet will be dropped as soon as it meets with implicit deny statement.
  • This way source PC will never receive a response from destination PC.
extended acl data flow example
To allow return traffic from management section we need a permit statement for PC3.
Here I have question for you “How ACLs are processed and what is implicit deny?”
If you know the answer, great keep going. If you don’t know the answer, I would suggest you to take a pause here and go through the first part of this article.
First part of this article covers essential features of ACL in detail such as Implicit deny, ACL types, how ACL statements are processed and data flow directions.
Oaky lets arrange statements in proper order for ACL-SecureManagement
permit tcp host 200.0.0.194 host 200.0.0.228 eq 21
permit udp host 200.0.0.194 host 200.0.0.228 eq 80
deny ip host 200.0.0.194 host 200.0.0.228
permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
permit ip 200.0.0.192 0.0.0.31 host 200.0.0.131
That’s all paper work we need to do before creating real ACLs. Well… you may be a little bit annoyed with all above preparation. But believe me friends; it will save a lot of time and effort in Cisco exams and as well as in job life.

Create Extended ACL

An extended ACL can be created in two ways:-
  1. Classic numbered method
  2. Modern numbered or named method
Classic numbered method uses following global configuration mode command
Router(config)#access-list ACL_Identifier_number permit|deny IP_protocol
source_address  source_wildcard_mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
Modern numbered or named method uses following global configuration mode commands
Router(config)#ip access-list extended ACL_name_number
Router(config-ext-acl)# permit|deny IP_protocol source_IP_address wildcard_mask [protocol_information] destination_IP_address wildcard_mask [protocol_information] [log]
I have already explained above commands and parameters in detail with examples in previous part of this article. For this part I assume that you are familiar with above commands.
In our example we will create two ACLs (110 and 120) in Router1 and one ACL (SecureManagement) in Router2.
Okay let’s create them one by one

ACL-110 (Configuration style - Classical Numbered)

Access CLI prompt of Router1 and enter in global configuration mode
access router cli packet tracer
Enter following commands
Router(config)#access-list 110 deny ip host 200.0.0.2 any
Router(config)#access-list 110 permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
Router(config)#access-list 110 deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31
Router(config)#access-list 110 deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo
Router(config)#access-list 110 permit ip 200.0.0.0 0.0.0.127  host 200.0.0.226
Router(config)#access-list 110 deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15
Great job, we have just created our first ACL with classic numbered method. Now let’s create our second ACL, but this time use modern numbered method.

ACL-120 (Configuration style – Modern Numbered)

Router(config)#ip access-list extended 120
Router(config-ext-acl)# permit ip  200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.127
Router(config-ext-acl)# permit ip host 200.0.0.131 200.0.0.192 0.0.0.31
Router(config-ext-acl)# deny ip 200.0.0.128 0.0.0.63 200.0.0.192 0.0.0.31
Router(config-ext-acl)# permit tcp host 200.0.0.130 host 200.0.0.227 eq 80
Router(config-ext-acl)# deny ip host 200.0.0.130 host 200.0.0.227
Router(config-ext-acl)# permit ip 200.0.0.128 0.0.0.63 host 200.0.0.227
Router(config-ext-acl)# deny ip 200.0.0.128 0.0.0.63 200.0.0.224 0.0.0.15
Router(config-ext-acl)#exit
Router(config)#
Good going, we have finished our ACL creation task or router R1. Now access the global configuration mode of router R2 and enter following commands to create ACL-SecureManagement

ACL- SecureManagement (Configuration style – Modern Named)

Router(config)#ip access-list extended SecureManagement
Router(config-ext-acl)#permit tcp host 200.0.0.194 host 200.0.0.228 eq 21
Router(config-ext-acl)#permit tcp host 200.0.0.194 host 200.0.0.228 eq 80
Router(config-ext-acl)#deny ip host 200.0.0.194 host 200.0.0.228
Router(config-ext-acl)#permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
Router(config-ext-acl)#deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
Router(config-ext-acl)#permit ip 200.0.0.192 0.0.0.31 host 200.0.0.131
Router(config-ext-acl)#exit
Router(config)#

Assign Extended ACLs in interfaces

No matter how we have created ACLs, assigning them in interfaces are the same steps process:-
Router(config)#interface type [slot_#] port_#
Router(config-if)#ip access-group ACL_# in|out
Commands and parameters are explained in previous part of this article. In this part we will use these commands in assigning the ACLs.
Let’s assign our ACLs in their respective interfaces
ACL-110 (R1’s Fa0/0 interface, Inbound direction)
Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 110 in
Router(config-if)#exit
Router(config)#
ACL-120 ( R1’s Fa0/1, Inbound direction)
Router(config)#interface fastethernet 0/1
Router(config-if)#ip access-group 120 in
Router(config-if)#exit
Router(config)#
ACL-SecureManagement (R2’s Fa0/0 interface, Inbound direction)
Router(config)#interface Fa0/0
Router(config-if)#ip access-group SecureManagement in
Router(config-if)#exit
Router(config)#

Testing Standard ACLs

Packet Tracer includes several tools to verify our implementation such as ping command that can be used to test the connectivity. We can use FTP and Web Browser to test applications level filter.
Let’s test implementation from PC0.
As per permission PC0 is allowed to access only its section. It is not allowed to access anything from outside.
extended acl testing
Let’s do one more testing form PC2. As per permission PC2 is allowed to access development section and only web service from server.
Test extended acl
Now it’s your turn to test remaining conditions. If you have followed all above steps then requirements should be fulfilled. If you are missing any requirement or not getting result as expected, use my practice topology for cross check.
Download configured topology for Extended ACL configuration

Verifying Extended Access List configuration

Once created and activated ACLs, we can verify them with following privilege exec mode commands.
To show which ACLs are activated on which interfaces in which direction, we can use show ip interface command
show ip interface command router
From output we can see that ACL-110 is applied in inbound direction on FastEthernet0/0. By default above command will list all interfaces. To view a single interface, we need to specify it in above command as command line option. For example, to view only serial interface use show ip interface FastEthernet 0/1 command.
show ip interface fast ethernet 0
To view the conditions in ACL, we have two commands
Router#show access-lists ACL_Number_or_Name (Optional, used to see the specific ACL)
show access list command router
Router#show ip access-list ACL_Number_or_Name (Optional, used to see the specific ACL)
show ip access list command
Have you notice any difference between outputs? Second command provides more detailed information about modern style ACLs. It lists the sequence number of each condition in ACL. Sequence numbers are used to edit or delete any condition from ACL. Sequence numbers are available only when you create ACL from modern style.
Router keeps track of every match on every condition. To reset this counter, use clear command.
clear access list counters
We can also view all running configuration including ACLs from show running-config command.
show running configuration

Editing / Updating Extended ACLs

We can edit or update an extended ACL only if it is created from modern configuration style. If it is created from classic configuration style then we cannot edit or update it, we can only append it.
How will I know which ACL is created from which style?
ACLs created from modern way have sequence numbers. We can use show ip access-list command to know whether a specific ACL is created from classic style or modern style. If output of this command show sequence numbers in front of conditions then that ACL is created from modern style. For example following figure illustrates the output of show ip access-list command from router R2.
show ip access list command
As we can see in output, ACL-SecureManagement has sequence numbers. So it is created from modern named style.
Now suppose we want to allow host 200.0.0.194 full permission on Server 200.0.0.228.
Okay let’s update this ACL step by step.
Verify current status
Router#show ip access-list SecureManagement
Extended IP access list SecureManagement
 10 permit tcp host 200.0.0.194 host 200.0.0.228 eq ftp
 20 permit tcp host 200.0.0.194 host 200.0.0.228 eq www
 30 deny ip host 200.0.0.194 host 200.0.0.228
 40 permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
 50 deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
 60 permit ip any host 200.0.0.131
Currently host 200.0.0.194 is allowed to access only FTP and Web Service from server. In order to grant it full permission we need to remove three statements 10, 20 and 30. As host belong to network 200.0.0.192 which has full permission on server (statement 40), once deny statement is removed, host will get full permission automatically.
Remove old permission
Router(config)#ip access-list extended SecureManagement
Router(config-ext-nacl)#no 10
Router(config-ext-nacl)#no 20
Router(config-ext-nacl)#no 30
Router(config-ext-nacl)#exit
Router(config)#exit
Router#
Confirm removal
Router#show ip access-list SecureManagement
Extended IP access list SecureManagement
    40 permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
    50 deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
    60 permit ip any host 200.0.0.131
Router#
Insert new condition in extended ACL
Now suppose we want to allow host 200.0.0.195 to access only TFTP service from server. Currently this host has full permission on Server (See above output). For this requirement we need to allow TFTP service first and deny all services before full permission for network statement.
Router(config)#ip access-list extended SecureManagement
Router(config-ext-nacl)#10 permit udp host 200.0.0.195 host 200.0.0.228 eq 69
Router(config-ext-nacl)#20 deny ip host 200.0.0.195 host 200.0.0.228
Router(config-ext-nacl)#exit
Router(config)#exit
Router#
Verify update
Router#show ip access-lists SecureManagement
Extended IP access list SecureManagement
    10 permit udp host 200.0.0.195 host 200.0.0.228 eq 69
    20 deny ip host 200.0.0.195 host 200.0.0.228
    40 permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
    50 deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
    60 permit ip any host 200.0.0.131
Router#
How to delete a Standard ACL
We have two commands to delete an extended ACL.
Router(config)#no access-list [ACL_Number]
Router(config)#no ip access-list extended [ACL_Number_or_Name]
First command is used to delete numbered ACL while second command is used to delete both numbered and named ACLs. Let’s have an example of both commands.
Delete both ACLs from router R1.
Router(config)#no access-list 110
Router(config)#no ip access-list standard SecureManagement
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)