10.4 Configuring Extended Access Lists
10.4.3 Extended IP access list command
Use the access-list command to create an entry in an extended access list, as follows: 

access-list access-list-number {permit | deny}
{protocol | protocol-keyword}
{source source-wildcard | any}
{destination destination-wildcard | any}
[protocol-specific-options] [log]
access-list access-list-number {permit | deny} protocol source source-wildcard destination destination-wildcard [log]

The extended access list has so many options that it is helpful to divide the options by protocol and to examine them as alternate syntax cases. The syntax shown is the generic command syntax that you use to configure an extended access list for the IP protocol. Alternate syntaxes follow in the next pages.

Mask Keywords

The following two keywords can be used to define IP addresses with masks:

  • any
  • host

The keyword any in either the source or destination position matches any address and is equivalent to configuring 0.0.0.0 255.255.255.255:

access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!(alternate configuration)
access-list 101 permit ip any any
The keyword host in either the source or destination position causes the address that immediately follows it to
be treated as if it were specified with a mask of 0.0.0.0:
host 131.108.5.17 = 131.108.5.17 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 131.108.5.17 0.0.0.0
!(alternate configuration)
access-list 101 permit ip any host 131.108.5.17


ICMP Command Syntax

Use the access-list icmp command to create an entry in an extended access list. The protocol keyword icmp indicates that an alternate syntax is being used for this command and that protocol-specific options are available.

access-list  access-list-number {permit | deny} icmp
{source source-wildcard | any}
{destination destination-wildcard | any}
[icmp-type [icmp-code] | icmp-message]

Packets can also be filtered by precedence level, specified by a number from 0 to 7. A list of names can also be used in the precedence field: critical, flash, flash-override, immediate, Internet, network, priority, routine. Packets can also be filtered by type-of-service level specified by a number from 0 to 15.

Neither of these filtering options is used very often. Historically, precedence has rarely been used outside the military, but it may become of greater importance because it affects Weighted Fair Queuing (WFQ).

ICMP Message and Type Names

Cisco IOS Release 10.3 and later versions provide symbolic names that make configuration and reading of complex access lists easier. With symbolic names, it is no longer critical to understand the meaning of message 8 and message 0 in order to filter the ping command. Instead, the configuration would use echo and echo-reply.

The following list indicates the symbolic names you can define in extended access lists:

administratively-prohibited    alternate-address

conversion-error                         dod-host-prohibited
dod-net-prohibited                      echo
echo-reply                                 general-parameter-problem
host-isolated                              host-tos-redirect
host-tos-unreachable                  host-unknown
host-unreachable                       information-reply
mask-reply                                mask-request
mobile-redirect                           net-redirect
net-tos-redirect                           net-tos-unreachable
net-unreachable                          network-unknown
no-room-for-option                       option-missing
packet-too-big                             parameter-problem
port-unreachable                          reassembly-timeout
redirect                                       router-advertisement
router-solicitation                         source-quench
source-route-failed                       time-exceeded
traceroute                                   ttl-exceeded
unreachable

Note: Use the context-sensitive help feature by entering ? in the Cisco IOS user interface to verify available names and proper command syntax.

RFC 1812 says that traffic denied by filtering (that is, that hits a deny rule) should cause an ICMP Administratively Prohibited message to the sender, using the sender's address as destination and the filtering router interface address as source. Many security authorities prefer not to send this message back to external users because the fact that there is filtering implies there is something worth protecting. To enforce such a policy, you would want to deny ICMP Administratively Prohibited messages outbound at the external user interface.

TCP Syntax

Use the access-list tcp command to create an entry in a complex traffic filter list. The protocol keyword tcp indicates that an alternate syntax is being used for this command and that protocol-specific options are available.

access-list  access-list-number {permit | deny} tcp
{source source-wildcard | any}
[operator source-port | source-port]
{destination destination-wildcard | any}
[operator destination-port | destination-port]
[established]

The established optional parameter can be used only with TCP because this is the only connection-oriented IP protocol currently supported.

When established is configured, a match occurs only if the TCP ACK (acknowledge) or RST (Reset) bits are set. This means that it matches an already established connection, which can then be permitted. The SYNchronize message to establish a new connection can then be explicitly or implicitly denied.

Without the established keyword, TCP timeouts may occur. With it, you can permit sessions to be initiated in one direction but not the other. In earlier versions of the Cisco IOS software, the established parameter can be configured only on tcp access list statements without specific port numbers. In 10.3 and later versions, the established command can be configured on statements with ports specified.

<Caution>Source-port filtering, the procedure of filtering data upon the source identifying port of a process, is not secure because a hacker could change a source port. A hacker could easily create a packet with a different source port (perhaps using a dynamic source port number) that would fall through the filter.

The TCP Connection Process

Consider the following TCP connection process:

Host A ------------------> SYNchronize Host B
Host A ACK SYNchronize <-------------- Host B
Host A --------------------------> ACK Host B

The goal is to stop B from initiating connections with A while permitting A to initiate connections with B. If you configure an access list to block messages from B, it will stop B-initiated sessions. A session initiated from A will also be blocked because the acknowledge message from B will never make it back.

This is further complicated because the message being blocked is coming from host B, so there is no way for the router to send an ICMP message to host A. Therefore, host A will appear to hang and will eventually get a TCP timeout.

This situation can be handled with the established parameter, as follows:

access list 101 permit tcp host B host A established
access list 101 deny tcp host B host A

where "host B" and "host A" are replaced by the host IP addresses.

TCP Port Names

The following list defines some of the TCP port names that can be used to make extended access-list coding easier.

bgp chargen
daytime  discard
domain  echo
finger  ftp-control
ftp-data gopher
hostname  irc
klogin kshell
lpd  nntp
pop2  pop3
sunrpc  syslog
tacacs-ds  talk
telnet  time
uucp  whois
www

Use the ? in place of the port number when entering the command in order to verify the port numbers associated with these protocol names. Other port names can be found in the "Assigned Numbers" RFC (1700).

UDP Syntax

The access-list udp command creates an entry in an extended access list. The protocol keyword udp indicates that an alternate syntax is being used for this command and that protocol-specific options are available.

The configuration for User Datagram Protocol (UDP) is similar to TCP. However, UDP is not a connection-oriented protocol, so there is no established parameter as there is in TCP.

access-list  access-list-number {permit | deny} udp
{source source-wildcard | any}
[operator source-port | source-port]
{destination destination-wildcard | any}
[operator destination-port | destination-port]

UDP Port Names

UDP port names can be used to simplify extended access-list configurations. The following is a partial list of defined UDP port names:

biff  bootpc
bootps  discard
dns  dnsix
echo  mobile-ip
nameserver  netbios-dgm
netbios-ns  ntp
rip  snmp
snmptrap  sunrpc
syslog  tacasds-ds
talk  tftp
time  whois
xdmcp

Use the ? in place of the port number when entering the command in order to verify the port numbers associated with these protocol names.