I’m working on ACLs, so I thought I would write something about them. I’ve come across a lot of good information like Cisco is easy's ACL posts, but I wanted to suppliment and visualize the options available when writing or determining what ACLs are doing. So, this tid bit covers Extended ACLs and the options available to them.
I wrote up two examples that I hope explore what Extended ACLs can do. It’s important to bare in mind that there are 3 ways to write the address portions of an ACL.
The first is with the “host” option:
access-list 110 permit tcp host 10.0.200.1 any eq 80
The second is via wild card mask:
access-list 110 permit tcp 172.16.26.2 0.0.31.255 any eq 80
The third is the “any” option which can also be written as “0.0.0.0 255.255.255.255” .
access-list 110 permit tcp any any eq 80
access-list 110 permit tcp 0.0.0.0 255.255.255.255 any eq 80
The last trick to keep in mind is when applying ACL filtering to all traffic from a subnet or IP range, the source traffic type should be “IP” -
access-list 192 deny IP any 10.1.1.0 0.255.255.255
This ACL denies everything to the 10.1.1.0/8 network. This essentially blocks all IP traffic.
Let’s look at two examples:
The first example denies the workstation with address 192.168.10.1 access to web services on any server in the 10.1.0.0 /16 subnet. In this case, traffic destined for http (port 80) will get filtered no matter what source port it originates from.
access-list 110 deny tcp host 192.168.10.1 10.1.1.0 0.0.255.255 eq 80
The second example is to permit tftp traffic from any host in the 126.96.36.199 /20 network to any server in the 10.1.1.0/24 network. With this ACL I am not only filtering traffic going to port 69, but I’m only allowing that traffic to originate from port 69. Granted this is something you’ll never see, it proves the point of filtering source ports as well as destination.
access-list 198 permit udp 192.168.20.0 0.0.15.255 eq tftp 10.1.1.0 0.0.0.255 eq 69