Use the access-list
command
to create
an entry in an extended access list, as follows:
access-list access-list-number {permit | deny}
{protocol | protocol-keyword}
{source source-wildcard | any}
{destination destination-wildcard | any}
[protocol-specific-options] [log]
access-list access-list-number {permit | deny} protocol source
source-wildcard destination destination-wildcard [log]
The extended access list has so many options that it is helpful
to divide the options by protocol and to examine them as alternate
syntax cases. The syntax shown is the generic command syntax that
you use to configure an extended access list for the IP protocol.
Alternate syntaxes follow in the next pages.
Mask Keywords
The following two keywords can be used to define IP addresses
with masks:
The keyword any in either the source or destination
position matches any address and is equivalent to configuring
0.0.0.0 255.255.255.255:
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0
255.255.255.255
!(alternate configuration)
access-list 101 permit ip any any
The keyword host in either the source or destination position causes
the address that immediately follows it to
be treated as if it were specified with a mask of 0.0.0.0:
host 131.108.5.17 = 131.108.5.17 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 131.108.5.17
0.0.0.0
!(alternate configuration)
access-list 101 permit ip any host 131.108.5.17
ICMP Command Syntax
Use the access-list icmp
command
to create an entry in an extended access list. The protocol
keyword icmp indicates that an alternate syntax is being used
for this command and that protocol-specific options are available.
access-list access-list-number {permit | deny} icmp
{source source-wildcard | any}
{destination destination-wildcard | any}
[icmp-type [icmp-code] | icmp-message]
Packets can also be filtered by precedence level, specified by a
number from 0 to 7. A list of names can also be used in the
precedence field: critical, flash, flash-override, immediate,
Internet, network, priority, routine. Packets can also be filtered
by type-of-service level specified by a number from 0 to 15.
Neither of these filtering options is used very often.
Historically, precedence has rarely been used outside the military,
but it may become of greater importance because it
affects Weighted Fair Queuing (WFQ).
ICMP Message and Type Names
Cisco IOS Release 10.3 and later versions provide symbolic names
that make configuration and reading of complex access lists easier.
With symbolic names, it is no longer critical to understand the
meaning of message 8 and message 0 in order to filter the ping
command. Instead, the configuration would use echo and
echo-reply.
The following list indicates the symbolic names you can
define in extended access lists:
administratively-prohibited
alternate-address
conversion-error
dod-host-prohibited
dod-net-prohibited
echo
echo-reply
general-parameter-problem
host-isolated
host-tos-redirect
host-tos-unreachable
host-unknown
host-unreachable
information-reply
mask-reply
mask-request
mobile-redirect
net-redirect
net-tos-redirect
net-tos-unreachable
net-unreachable
network-unknown
no-room-for-option
option-missing
packet-too-big
parameter-problem
port-unreachable
reassembly-timeout
redirect
router-advertisement
router-solicitation
source-quench
source-route-failed
time-exceeded
traceroute
ttl-exceeded
unreachable
Note: Use the context-sensitive help feature by entering ?
in the Cisco IOS user interface to verify available names and proper
command syntax.
RFC 1812 says that traffic denied by filtering (that is, that
hits a deny rule) should cause an ICMP Administratively Prohibited
message to the sender, using the sender's address as destination and
the filtering router interface address as source. Many security
authorities prefer not to send this message back to external users
because the fact that there is filtering implies there is something
worth protecting. To enforce such a policy, you would want to deny
ICMP Administratively Prohibited messages outbound at the
external user interface.
TCP Syntax
Use the access-list tcp
command
to create an entry in a complex traffic filter list. The protocol
keyword tcp indicates that an alternate syntax is being used
for this command and that protocol-specific options are available.
access-list access-list-number {permit | deny} tcp
{source source-wildcard | any}
[operator source-port | source-port]
{destination destination-wildcard | any}
[operator destination-port | destination-port]
[established]
The
established
optional parameter can be used only with
TCP because this is the only connection-oriented IP protocol
currently supported.
When
established
is configured, a match occurs only if the
TCP ACK (acknowledge) or RST (Reset) bits are set. This means that
it matches an already established connection, which can then be
permitted. The SYNchronize message to establish a new connection can
then be explicitly or implicitly denied.
Without the
established keyword, TCP timeouts may occur.
With it, you can permit sessions to be initiated in one direction
but not the other. In earlier versions of the Cisco IOS software,
the established parameter can be configured only on
tcp access
list
statements without specific port numbers. In 10.3 and later
versions, the
established
command can be configured on
statements with ports specified.
<Caution>Source-port filtering, the procedure of filtering
data upon the source identifying port of a process, is not secure
because a hacker could change a source port. A hacker could easily
create a packet with a different source port (perhaps using a
dynamic source port number) that would fall through the filter.
The TCP Connection Process
Consider the following TCP connection process:
Host A ------------------> SYNchronize Host B
Host A ACK SYNchronize <-------------- Host B
Host A --------------------------> ACK Host B
The goal is to stop B from initiating connections with A while
permitting A to initiate connections with B. If you configure an
access list to block messages from B, it will stop B-initiated
sessions. A session initiated from A will also be blocked because
the acknowledge message from B will never make it back.
This is further complicated because the message being blocked is
coming from host B, so there is no way for the router to send an
ICMP message to host A. Therefore, host A will appear to hang and
will eventually get a TCP timeout.
This situation can be handled with the
established
parameter, as follows:
access list 101 permit tcp host B host A established
access list 101 deny tcp host B host A
where "host B" and "host A" are replaced by
the host IP addresses.
TCP Port Names
The following list defines some of the TCP port names that
can be used to make extended access-list coding easier.
|
bgp
|
chargen
|
|
daytime
|
discard
|
|
domain
|
echo
|
|
finger
|
ftp-control
|
|
ftp-data
|
gopher
|
|
hostname
|
irc
|
|
klogin
|
kshell
|
|
lpd
|
nntp
|
|
pop2
|
pop3
|
|
sunrpc
|
syslog
|
|
tacacs-ds
|
talk
|
|
telnet
|
time
|
|
uucp
|
whois
|
|
www
|
|
Use the
?
in place of the port number when entering the
command in order to verify the port numbers associated with these
protocol names. Other port names can be found in the
"Assigned Numbers" RFC (1700).
UDP Syntax
The access-list udp
command
creates an entry in an extended access list. The protocol
keyword udp indicates that an alternate syntax is being used
for this command and that protocol-specific options are available.
The configuration for User Datagram Protocol (UDP) is similar to
TCP. However, UDP is not a connection-oriented protocol, so there is no
established parameter as there is in TCP.
access-list access-list-number {permit | deny} udp
{source source-wildcard | any}
[operator source-port | source-port]
{destination destination-wildcard | any}
[operator destination-port | destination-port]
UDP Port Names
UDP port names can be used to simplify extended access-list
configurations. The following is a partial list of defined UDP port
names:
|
biff
|
bootpc
|
|
bootps
|
discard
|
|
dns
|
dnsix
|
|
echo
|
mobile-ip
|
|
nameserver
|
netbios-dgm
|
|
netbios-ns
|
ntp
|
|
rip
|
snmp
|
|
snmptrap
|
sunrpc
|
|
syslog
|
tacasds-ds
|
|
talk
|
tftp
|
|
time
|
whois
|
|
xdmcp
|
|
Use the
?
in place of the port number when entering the
command in order to verify the port numbers associated with these
protocol names.
|