Configure Extended Access Control Lists(ACL) in Cisco Routers

Extended ACLs are advanced than the Standard ACLs. Unlike the Standard Access Lists where it checks only the Source IP Address to control the flow of the packets, Extended ACLs can check the

Source & Destination Address

Protocols (IP,ICMP,TCP,UDP)

Source & Destination ports

Extended ACLs have far greater control over the flow of packets and Extended ACL rules are processed by the sequence number as against Standard ACLs where it is processed in descending order of the Source Addresses.

Extended ACLs use ACL number 100 to 199 and since Cisco IOS version 12.0.1, 2000 – 2699 are used. These are called as expanded IP ACLs.

One other advantage of using Extended ACLs is that you can insert a statement in between existing ACL lists using a sequence number or delete an entry which you don't need using its list number.

The syntax of Extended ACLs is

access-list <ACL no.> <permit/deny> <protocol> <Source IP><Source mask><operator><Sourceport> <Destination IP><Destination mask> <operator> <destination port>

where

Protocol – Layer3 IP or IPX and Layer 4 TCP,UDP or ICMP

Operator – lt,eq,gt indicating port number "less than", Equal to or "greater"

A 0.0.0.0 255.255.255.255 for source/source mask or destination/dest.mask can be equated to "any"

TO configure an Extended ACL

Let's configure a simple ACL that allows any source to pass traffic to any destination. As you know there is an explicit "deny any any" statement at the end of the ACL, we need to add a "permit any any" to allow all traffic.

ciscorouter# conf term

ciscorouter(config)# access-list 101 permit any any

This is the same as

ciscorouter(config)# access-list 101 permit 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Another way to configure would be

ciscorouter(config)# ip access-list extended 101

ciscorouter(config-ext-nacl)# permit ip any any

Now, lets look at configuring based on Protocols.

IP Extended ACLs

IP Extended ACLs entry will not reference to the source and destination ports for the simple reason they are IP based lists.

For instance,

ciscorouter(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any

The above lets any traffic from source network 192.168.1.0/24 will be allowed to any destination network.

ciscorouter(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 option log

This list allows any traffic from source network 192.168.1.0/24 to the destination network 10.1.1.0/24 and logging.

TCP/UDP Extended ACLs

In TCP Extended ACLs, we can refernce to the source/destination IP addresses/networks and source and destination ports.

ciscorouter(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq www

The above lets any web traffic (HTTP in port 80) from the source network 192.168.1.0/24 to any destination network. This is equivivalent to

ciscorouter(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80

Another example to allow SMTP traffic from any network to a destination Mail server 10.1.1.1

ciscorouter(config-ext-nacl)# permit tcp any 10.1.1.1 eq 25

To allow DNS (UDP) queries

ciscorouter(config-ext-nacl)# permit udp any 10.1.1.2 eq 53

ICMP Extended ACLs

In ICMP Extended ACLs, its about the Source & Destination IP/Networks and the ICMP Type, ICMP Code and ICMP messages.

For instance,

Block ICMP Replies [ICMP Type 0]

ciscorouter(config-ext-nacl)# deny icmp any any echo-reply

Block ICMP Replies [ICMP Type 11]

ciscorouter(config-ext-nacl)# deny icmp any any time-exceeded

Block ICMP Type 3 Code 4 [Destination unreacheable]

ciscorouter(config-ext-nacl)# deny icmp any any host-unreachable

To apply the ACL onto an interface,

ciscrouter(config)# int fa0/0

ciscorouter(config-if)# ip access-group 101 out

The above applies the Extended ACL 101 on the traffic exiting the interface. Remember the Per Protocol Per INterface Per Direction rule when applying rules to the interfaces.