Re: Access Lists - Standard & Extended

labbe · ‎02-15-2002

n00b Question:

I am having trouble understanding access lists. I want to start securing data between my routers and other companies, but do not want to kill communications to them... I have had trouble finding anything to explain their usage and theory, not just the command syntax. Any help would be greatly appreciated.

Thanks!

daniel.bowen · ‎02-15-2002

An standard IP access-list can be used to filter traffic based on source address and protocol, so you might say:

access-list 1 permit tcp host 161.76.1.5

access-list 1 deny tcp 161.76.0.0 0.0.255.255

This would permit all tcp traffic from 161.76.1.5 but block all other traffic from that network. You would then apply this to an interface on the router (more on that later).

An extended IP access list can be used to filter traffic based on protocl, source and destination address and port number. You might want to do:

access-list 101 permit tcp host 161.76.1.5 121.121.123.1 eq smtp

access-list 101 deny tcp 161.76.0.0 0.0.255.255 121.121.123.1 eq smtp

This would permit 161.76.1.5 access for smtp to 121.121.123.1 but block the rest of the network.

You must remember that an access-list is not a Firewall, they are simply there to filter traffic and relieve network devices from having to process packets that they shouldn't recieve.

When you apply an access-list to an interface on the router, you specify it as either inbound or outbound, this means: If you specify inbound, the access list will apply itself to all packets entering the router interface. If you apply it outbound, it will apply itself to all packets leaving the interface.

Access-lists are processed in a top-down fashion. A packet will arrive at an interface with an access-list with say three rules in it and will look at the first rule (top of the access-list), if it doesn't apply to the packet then it will try the second and so on. As soon as it is matched to a rule, the packet is either dropped or forwarded according to that rule, it doesn't try any further rules.

At the bottom of every access-list there is an implicit deny anything that you haven't permitted above rule, even if you don't enter it. If you haven't permitted it, it will get denied.

Any other questions, post them and I will try my best.

Daniel,

labbe · ‎02-15-2002

Okay. I get that. Another item that eludes me is how to differentiate when IP or TCP would be appropriate to list as the protocol to filter?

millerv · ‎02-15-2002

IP for any internet protocol (DLSw, RSRB)

tcp for tcp i.e telnet, ftp www

udp for udp i.e snmp tftp

daniel.bowen · ‎02-18-2002

If you want the statement to apply to all protocols in the IP suite (EVERYTHING, from DNS to UDP NetBIOS), the you select IP, if you want to only select TCP protocols (connection orientated like port 80 www or port 25 smtp, then you select TCP. You must remember that access-lists give you different levels of control. An IP statement permits or denies ALL protocols, a TCP statement permits/denies ALL TCP protocols only, a UDP statement permits or denies ALL UDP protocols only.

If you want to give me some scenarios, I will write the access-list statement for you, then this may give you an understanding of where and when to use TCP, or IP or port numbers etc

Daniel,

ccropley · ‎02-26-2002

This topic seems to cover what I believe is a problem I have with our Cisco 801 Router. We have recently just installed the Cisco router to replace a GT70 model. Since installing the router our e-mail server, using Exchange 5.5 has been unable to download smtp e-mails from our ISP. The e-mail server is also acting as the companies proxy server and is set-up as the gateway to the router.

Is there a specific setting I need to set on the Cisco Router to allow Exchange 5.5 to be able to download smtp mail. There is no problem sending e-mail through the router only receiving.

Thanks for any help

Chris

shepperdld · ‎02-27-2002

I am trying to block SNMP at the router (Cisco 2620) and need a little assistance.

I received this as a suggestion

You block SNMP or any other IP traffic at the interface level by port number, SNMP is UDP port 161, so the command to block all SNMP traffic would be

access-list 101 deny udp any eq snmp any eq snmp

access-list 101 permit ip any any

You then apply this to the interfaces with the following command

ip access-group 101 in

I am using a 2620 router.

I am in configure, then I enter the command "ip access-group 101 in" and get an error invalid input at... referencing group.

Any suggestions or is there another way to do this?

Thanks!

csthomas · ‎02-28-2002

This wasn't your question, but the line "deny udp any eq snmp any eq snmp" won't do what you want. Incoming requests to an snmp device on your network will come from a random high numbered port and won't be blocked by this rule. What you want is

"deny udp any any eq snmp". You also want to apply this as a "out" rule, not an "in" rule, if you want to block incoming snmp.

jmcneil · ‎02-19-2002

I have a question regarding roaming users. Is it possible to use an ACCESS-EXPRESSION to filter by IP address and source MAC addess on a ethernet interface

ACCESS-EXPRESSION "ip(101) & smac(701)"

Not sure of the syntax.

Any help would be greatly appreciated.

Thanks!