Extended IP Access List Configuration

Use the access-list access-list-number {permit I deny} {protocol | protocol-keyword} {source source-wildcard l any} {destination destination-wildcard l any} [protocol-specific options] [log] global configuration command to create an entry in an extended traffic filter list, as described in Table A-8.

Table A-8 Extended IP access-list Command Description

access-list Command

Description

access-list-number

Identifies the list to which the entry belongs, a number from

100 to 199.

permit I deny

Indicates whether this entry allows or blocks traffic.

Table A-8 Extended IP access-list Command Description (Continued)

access-list Command

Description

protocol

ip, tcp, udp, icmp, igmp, gre, igrp, eigrp, ospf, nos, or a

number in the range of 0 through 255. To match any Internet

protocol, use the keyword ip. Some protocols have more

options that are supported by an alternate syntax for this

command, as shown later in this section.

source and destination

Identifies the source and destination IP addresses.

source-wildcard and destination-

Identifies which bits in the address field must match. A 1 in a

wildcard

bit position indicates "don't care" bits, and a 0 in any bit

position indicates that the bit must strictly match.

any

Use this keyword as an abbreviation for a source and source-

wildcard, or a destination and destination-wildcard of 0.0.0.0

255.255.255.255.

log

(Optional) Causes informational logging messages about a

packet that matches the entry to be sent to the console.

Exercise caution when using this keyword because it

consumes CPU cycles.

The wildcard masks in an extended access list operate the same way as they do in standard access lists. The keyword any in either the source or the destination position matches any address and is equivalent to configuring an address of 0.0.0.0 with a wildcard mask of 255.255.255.255. An example of an extended access list is shown in Example A-6.

Example A-6 Use of the Keyword any access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! (alternate configuration) access-list 101 permit ip any any

The keyword host can be used in either the source or the destination position; it causes the address that immediately follows it to be treated as if it were specified with a mask of 0.0.0.0. An example is shown in Example A-7.

Example A-7 Use of the Keyword host

access-list 101 permit ip 0.(

5.0.0 255.255

255.255 172.16.5.17 0.0.0.0

! (alternate configuration)

access-list 101 permit ip any

host 172.16.5

17

Use the access-list access-list-number {permit | deny} icmp {source source-wildcard I any} {destination destination-wildcard I any} [icmp-type [icmp-code] I icmp-message] global configuration command to filter ICMP traffic. The protocol keyword icmp indicates that an alternate syntax is being used for this command and that protocol-specific options are available, as described in Table A-9.

Table A-9 Extended IP access-list icmp Command Description

access-list icmp

Command

Description

access-list-number

Identifies the list to which the entry belongs, a number from 100

to 199.

permit | deny

Indicates whether this entry allows or blocks traffic.

source and destination

Identifies the source and destination IP addresses.

source-wildcard and

Identifies which bits in the address field must match. A 1 in a bit

destination-wildcard

position indicates "don't care" bits, and a 0 in any bit position

indicates that the bit must strictly match.

any

Use this keyword as an abbreviation for a source and source-

wildcard, or a destination and destination-wildcard of 0.0.0.0

255.255.255.255.

icmp-type

(Optional) Packets can be filtered by ICMP message type. The

type is a number from 0 to 255.

icmp-code

(Optional) Packets that have been filtered by ICMP message type

can also be filtered by ICMP message code. The code is a number

from 0 to 255.

icmp-message

(Optional) Packets can be filtered by a symbolic name

representing an ICMP message type or a combination of ICMP

message type and ICMP message code. A list of these names is

provided in Table A-10.

Cisco IOS Release 10.3 and later versions provide symbolic names that make configuration and reading of complex access lists easier. With symbolic names, it is no longer critical to understand the meaning of the ICMP message type and code (for example, message 8 and message 0 can be used to filter the ping command). Instead, the configuration can use symbolic names (for example, the echo and echo-reply symbolic names can be used to filter the ping command), as shown in Table A-10. (You can use the Cisco IOS context-sensitive help feature by entering ? when entering the access-list command, to verify the available names and proper command syntax.)

Table A-10 ICMP Message and Type Names

Administratively-prohibited

Information-reply

Precedence-unreachable

Alternate-address

Information-request

Protocol-unreachable

Conversion-error

Mask-reply

Reassembly-timeout

Dod-host-prohibited

Mask-request

Redirect

Table A-10 ICMP Message and Type Names (Continued)

Dod-net-prohibited

Mobile-redirect

Router-advertisement

Echo

Net-redirect

Router-solicitation

Echo-reply

Net-tos-redirect

Source-quench

General-parameter-problem

Net-tos-unreachable

Source-route-failed

Host-isolated

Net-unreachable

Time-exceeded

Host-precedence-unreachable

Network-unknown

Timestamp-reply

Host-redirect

No-room-for-option

Timestamp-request

Host-tos-redirect

Option-missing

Traceroute

Host-tos-unreachable

Packet-too-big

Ttl-exceeded

Host-unknown

Parameter-problem

Unreachable

Host-unreachable

Port-unreachable

Use the access-list access-list-number {permit | deny} tcp {source source-wildcard I any} [operator source-port I source-port] {destination destination-wildcard I any} [operator destination-port I destination-port] [established] global configuration command to filter TCP traffic. The protocol keyword tcp indicates that an alternate syntax is being used for this command and that protocol-specific options are available, as described in Table A-11.

Table A-11 Extended IP access-list tcp Command Description

access-list tcp Command

Description

access-list-number

Identifies the list to which the entry belongs, a number

from 100 to 199.

permit | deny

Indicates whether this entry allows or blocks traffic.

source and destination

Identifies the source and destination IP addresses.

source-wildcard and destination-

Identifies which bits in the address field must match. A 1

wildcard

in a bit position indicates "don't care" bits, and a 0 in any

bit position indicates that the bit must strictly match.

any

Use this keyword as an abbreviation for a source and

source-wildcard, or a destination and destination-wildcard

of 0.0.0.0 255.255.255.255.

operator

(Optional) A qualifying condition. Can be: lt, gt, eq, neq.

source-port and destination-port

(Optional) A decimal number from 0 to 65535 or a name

that represents a TCP port number.

established

(Optional) A match occurs if the TCP segment has the

ACK or RST bits set. Use this if you want a Telnet or

another activity to be established in one direction only.

established Keyword in Extended Access Lists

When a TCP session is started between two devices, the first segment sent has the SYN (synchronize) code bit set but does not have the ACK (acknowledge) code bit set in the segment header because it is not acknowledging any other segments. All subsequent segments sent do have the ACK code bit set because they are acknowledging previous segments sent by the other device. This is how a router can distinguish between a segment from a device that is attempting to start a TCP session and a segment of an ongoing already established session. The RST (reset) code bit is set when an established session is being terminated.

When you configure the established keyword in a TCP extended access list, it indicates that that access list statement should match only TCP segments in which the ACK or RST code bit is set. In other words, only segments that are part of an already established session will be matched; segments that are attempting to start a session will not match the access list statement.

Table A-12 is a list of TCP port names that can be used instead of port numbers. Port numbers corresponding to these protocols can be found by typing a ? in the place of a port number, or by looking at RFC 1700, "Assigned Numbers." (This RFC is available at URL www.cis.ohio-state.edu/htbin/rfc/rfc1700.html.)

Table A-12 TCP Port Names

Bgp

Hostname

Syslog

Chargen

Irc

Tacacs-ds

Daytime

Klogin

Talk

Discard

Kshell

telnet

Domain

Lpd

Time

Echo

nntp

Uucp

Finger

Pop2

Whois

ftp control

Pop3

www

ftp-data

Smtp

Gopher

Sunrpc

Other port numbers can also be found in RFC 1700, "Assigned Numbers." A partial list of the assigned TCP port numbers is shown in Table A-13.

Table A-13 Some Reserved TCP Port Numbers

Decimal

Keyword

Description

7

ECHO

Echo

9

DISCARD

Discard

13

DAYTIME

Daytime

19

CHARGEN

Character generator

20

FTP-DATA

File Transfer Protocol (data)

21

FTP-CONTROL

File Transfer Protocol

23

TELNET

Terminal connection

25

SMTP

Simple Mail Transfer Protocol

37

TIME

Time of day

43

WHOIS

Who is

53

DOMAIN

Domain name server

79

FINGER

Finger

80

WWW

World Wide Web HTTP

101

HOSTNAME

NIC host name server

Use the access-list access-list-number {permit I deny} udp {source source-wildcard I any} [operator source-port I source-port] {destination destination-wildcard I any} [operator destination-port I destination-port] global configuration command to filter UDP traffic. The protocol keyword udp indicates that an alternate syntax is being used for this command and that protocol-specific options are available, as described in Table A-14.

Table A-14 Extended IP access-list udp Command Description

access-list udp Command

Description

access-list-number

Identifies the list to which the entry belongs, a number

from 100 to 199.

permit I deny

Indicates whether this entry allows or blocks traffic.

source and destination

Identifies the source and destination IP addresses.

source-wildcard and destination-

Identifies which bits in the address field must match. A 1

wildcard

in a bit position indicates "don't care" bits, and a 0 in any

bit position indicates that bit must strictly match.

any

Use this keyword as an abbreviation for a source and

source-wildcard, or a destination and destination-wildcard

of 0.0.0.0 255.255.255.255.

continues

Table A-14 Extended IP access-list udp Command Description (Continued)

access-list udp Command

Description

operator

(Optional) A qualifying condition. Can be: lt, gt, eq, neq.

source-port and destination-port

(Optional) A decimal number from 0 to 65535 or a name

that represents a UDP port number.

Table A-15 is a list of UDP port names that can be used instead of port numbers. Port numbers corresponding to these protocols can be found by typing a ? in the place of a port number, or by looking at RFC 1700, "Assigned Numbers." Table A-15 UDP Port Names

Biff

Nameserver

Syslog

Bootpc

NetBios-dgm

Tacasds-ds

Bootps

NetBios-ns

Talk

Discard

Ntp

Tftp

Dns

Rip

Time

Dnsix

Snmp

Whois

Echo

Snmptrap

Xdmcp

Mobile-ip

Sunrpc

Other port numbers can also be found in RFC 1700, "Assigned Numbers." A partial list of the assigned UDP port numbers is shown in Table A-16.

Table A-16 Some Reserved UDP Port Numbers

Decimal

Keyword

Description

7

ECHO

Echo

9

DISCARD

Discard

37

TIME

Time of day

42

NAMESERVER

Host name server

43

WHOIS

Who is

53

DNS

Domain name server

67

BOOTPS

Bootstrap protocol server

68

BOOTPC

Bootstrap protocol client

69

TFTP

Trivial File Transfer Protocol

123

NTP

Network Time Protocol

137

NetBios-ns

NetBios Name Service

Table A-16 Some Reserved UDP Port Numbers (Continued)

Decimal

Keyword

Description

138

NetBios-dgm

NetBios Datagram Service

161

SNMP

SNMP

162

SNMPTrap

SNMP Traps

520

RIP

RIP

Was this article helpful?

0 0

Post a comment