With Access Lists, you can filter traffic on your Cisco Router.
It filters only traffic coming in or going through your router.
It does not filter traffic which origins from the router. Its kind of "Firewall"-Feature.
You can permit or deny traffic from or to a network or host, and can filter on special ports.
Its useable for "basic" security.
For komplex Firewall settings, better use a "real" Firewall, because
to much filtering can make the device slower, cause each paket has to be checked, and the more rulez are configured, the more the CPU of the router has to work.


There are two kinds of Access Lists on Cisco Routers

1. Standart ACLs

-Numbered from 1-99 (and some higher ranges)
-filter ONLY on SOURCE IP
-needed to permit or deny a single source ip or source network to access another network or host

2. Extended ACLs

-Numbered from 100-199 (and some higher ranges)
-filter on Source IP and protocols and ports/applications
-needed to filter only traffic from a specified host or network and specified protocols and ports

ACLs can be identified by numbers, or by names.

Handling of Access-Lists

1. Configure some statements.

example1: Deny http and telnet access from a Network to an Host

access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80
access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23
access-list 100 permit ip any any

example2: Deny complete ip access from a network

access-list 1 deny 143.43.43.0 0.0.0.255
access-list 1 permit any any

example 3: Deny Ping from a network to a host

access-list 101 deny icmp 132.43.4.0 0.0.0.255 host 145.52.54.9
access-list 101 permit ip any any

You can also use command

access-list 101 deny icmp 132.43.4.0 0.0.0.255 145.52.54.9 0.0.0.0
access-list 101 permit ip any any

2. Select the Interface where the Access List will filter pakets.
ALL the statements build ONE Access List.
Bind the ACL on an interface with command "ip access-group "

interface e0
ip access-group 101 in

Rules

1. "Last" deny statement of every ACL
At the end of EVERY access-list there is a "access-list deny ip any any" statement, which is invisible.
Thats why we have to use the "access-list permit ip any any" statement at the end of OUR ACL.

2. From first to last
In filtering the packets, the router checks the statements of the ACL from the first to the last.
When an statement is found as true, the next statements are not checked anymore.

example
access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80
access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23
access-list 100 permit ip any any

If a host with IP 143.43.43.6/24 would try to access the Webserver 132.32.32.4 he would be denied, because of the first statement. The second and third statement would not be checked in that case.
If the same host would try to access the telnet port of the Webserver, then the first statement would be checked. Because its NOT Port 80 which the host wants to reach, the second statement would be checked.
The second statement denys telnet, and the host would not access the Webserver via Telnet.

3. Placement of ACLs
Put standart ACLs close to the Destination Host or Network which has to be protected
Put extended ACLs close to the Source Hosts or Network, from where the traffic will origin.

4. You can put ONE ACL per Interface, per Protocol, per Direction
You cant bind more than one ACL to an Interface per Direction (incoming or outgoing).

5. Single statements of an ACL can NOT be deleted
If you have to change or delete a single statement, you have to delete the whole ACL and write a new one.
Only in named access-lists it is possible to change or delete single statements of the ACL.

6. Different terms for different useage
There are different terms which can confuse.
access-group
Used to bind an access-list to an interface
access-class
Used to deny or permit telnet access to a router vty line.

7. synthax of extended ACL

access-list eq

 

 

example

access-list 111 deny tcp 200.20.20.0 0.0.0.255 200.20.30.0 0.0.0.255 eq 23

8. synthax of standart ACL

access-list