Creating Static

Packet Filters
Using ACLs

Network Security Using Cisco IOS Firewalls

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-1

 Access Control Lists

Human
Resources
Network

Internet

X Research and
DMZ Development
Network
Host A
Web Mail
Server Server
Host B

ACLs control traffic in and out of routers and firewalls.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-2
 Mitigating Threats Using ACLs

You can use ACLs to mitigate many threats:

 IP address spoofing
– Inbound
– Outbound
 DoS TCP SYN attacks
– Blocking external attacks
– Using TCP intercept
 DoS smurf attacks
 Filtering ICMP messages
– Inbound
– Outbound
– Filtering traceroute

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-3

 Outbound ACL Operation
Packet
S0
Choose
Outbound
Y Interface Test Outbound
ACL Interfaces
Routing Statements
Table
Entry? S1
Packet
N
N ACL? Permit?

Discard Packet
Notify Sender
Packet
Discard
Bucket

If no ACL statement matches, discard the packet.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-4
 Inbound ACL Operation

Check inbound ACL.

Decrypt, if necessary.

Routing

If no ACL statement matches, discard the packet.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-5

 A List of Tests—Deny or Permit
Packets to Interface(s)
in the Access Group
Match
Last
Test
?
Y Y
Deny N Permit
Y
Deny Match Permit
Last Destination
Test(s)
?
N Interface(s)
Y Y
Deny Permit
Match
Final
Test
?
N Implicit
Deny
Packet If No Match,
Discard Deny
Deny All
Bucket

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-6

 Types of IP ACLs

Cisco routers support two basic types of IP access lists:

 Standard
– Filters IP packets based on the source address only
– Generally permits or denies entire protocol suite
 Extended
– Filters IP packets based on several attributes
 Protocol type
 Source and destination IP addresses
 Source and destination TCP or UDP ports
 ICMP and IGMP message types

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-7

 Identifying ACLs

Cisco routers can identify ACLs using two methods:

 Number
– The number of the ACL determines which protocol it is filtering.
– 1 to 99 and 1300 to 1999 define standard IP ACLs.
– 100 to 199 and 2000 to 2699 define extended IP ACLs.
 Name
– Names have been available since Cisco IOS Releases 11.2
and later.
– Names contain alphanumeric characters.
– Names cannot contain spaces or punctuation and must begin
with an alphabetic character.
– Named ACLs enable you to add or delete entries within
the ACL.
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-8
 IP Access List Entry Sequence
Numbering

 Requires Cisco IOS Release 12.3

 Allows you to edit the order of ACL statements using sequence
numbers
– With Cisco IOS Releases prior to 12.3, a text editor is often used
to create and edit ACL statements, then the statements are copied
into the router in the correct order.
 Allows you to remove a single ACL statement from the list using a
sequence number
– With named ACLs prior to Cisco IOS Release 12.3, you must use
the no {deny | permit} protocol source source-wildcard
destination destination-wildcard command to remove an individual
statement.
– With numbered ACLs prior to Cisco IOS Release 12.3, you must
remove the entire ACL to remove a single ACL statement.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-9

 ACL Configuration Guidelines

 Standard or extended indicates what can be filtered.

 Only one ACL per interface, per protocol, per direction is allowed.
 The order of ACL statements controls testing, therefore, the most
specific statements go at the top of the list.
 The last ACL test is always an implicit deny everything else
statement, so every list needs at least one permit statement.
 ACLs are created globally and then applied to interfaces for
inbound or outbound traffic.
 An ACL can filter traffic going through the router, or traffic to and
from the router, depending on how it is applied.
 When placing ACLs in the network, do the following:
– Place extended ACLs close to the source
– Place standard ACLs close to the destination

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-10

 Wildcard Bits—How to Check the
Corresponding Address Bits
Octet Bit Position and
Address Value for Bit

Examples
Match All Address Bits
(Match All)

Ignore Last 6 Address Bits

Ignore Last 4 Address Bits

Match Last 2 Address Bits

Do Not Check Address

(Ignore Bits in Octet)

 0 means to match the value of the corresponding address bit

 1 means to ignore the value of the corresponding address bit

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-11

 Wildcard Bits to Match IP Subnets
Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.

Address and wildcard mask:

172.30.16.0 0.0.15.255

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-12

 Wildcard Bit Mask Abbreviations

 172.30.16.29 0.0.0.0 matches

all of the address bits.
 Abbreviate this wildcard mask
using the IP address preceded
by the keyword host (host
172.30.16.29).

 0.0.0.0 255.255.255.255
ignores all address bits.
 Abbreviate the expression
with the keyword any.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-13

 Numbered Standard IPv4 ACL
Configuration
r1(config)#
access-list access-list-number
{permit | deny | remark} source [mask] log
 Uses 1 to 99 for the access-list-number parameter.
 The first entry is assigned a sequence number of 10, and successive entries
are incremented by 10.
 The default wildcard mask is 0.0.0.0 (only standard ACL).
 no access-list access-list-number removes the entire ACL.
 remark lets you add a description to the ACL.

r1(config-if)#
ip access-group access-list-number {in | out}
 Activates the list on an interface.
 Sets inbound or outbound testing.
 no ip access-group access-list-number {in | out} removes the ACL from the interface.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-14

 Numbered Standard IPv4 ACL
Non-
172.16.3.0 172.16.0.0 172.16.4.0

S0
172.16.4.13
E0 E1

r1(config)#access-list 1 deny 172.16.4.0 0.0.0.255

r1(config)#access-list 1 permit any
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)

r1(config)#interface ethernet 0
r1(config-if)#ip access-group 1 out

Deny a specific subnet

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-15

 Applying Standard ACLs to Control
vty Access
r1(config-line)#
access-class access-list-number {in | out}
 Restricts incoming or outgoing connections between a particular
vty and the addresses in an ACL

Example:
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny any)
!
line vty 0 4
access-class 12 in
 Permits only hosts in network 192.168.1.0 0.0.0.255 to connect
to the router vty lines

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-16

 Numbered Extended IPv4 ACL
Configuration

r1(config)#
access-list access-list-number {permit | deny}
protocol source source-wildcard [operator port]
destination destination-wildcard [operator port]
[established] [log]
 Sets parameters for this list entry

r1(config-if)#
ip access-group access-list-number {in | out}
 Activates the extended list on an interface

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-17

 Established Command
r1(config)#
access-list access-list-number {permit | deny}
protocol source source-wildcard [operator port]
destination destination-wildcard [operator port]
[established] [log]

 The established option allows TCP traffic to pass with existing

connections.

r1(config)#access-list 102 permit tcp any host 200.1.1.2 established

r1(config)#access-list 102 permit tcp any host 200.1.1.2 eq smtp
r1(config)#interface serial 0
r1(config-if)#ip access-group 102 in

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-19

 Displaying ACLs
Router#

show access-lists {access-list-number | access-list-

name}
r1#show access-lists
Extended IP access list 102
permit ip any host 128.88.1.6
Extended IP access list mailblock
permit tcp any 128.88.0.0 0.0.255.255
established

r1#show ip interfaces e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is mailblock
Inbound access list is 102
Proxy ARP is enabled
<text ommitted>
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-20
 Guidelines for Developing ACLs

 Base the ACL on the security policy.

 Write it out on paper.
– Write out what you need the ACL to accomplish.
– Think about the potential problems that the ACL
might cause.
 Set up a development system.
– This allows you to copy and paste statements easily.
– It also allows you to develop a library of ACLs.
– Store the files as ASCII text files.
 Apply ACLs to a router and test.
– If at all possible, run your ACLs in a test environment before
placing them into production.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-21

 ACL Caveats

Statement Caveat
Implicit deny all You may not see this statement, but it does exist.

Standard ACL limitation You may need to create extended ACLs to implement security
policies.
Order of ACL Place more specific ACL statements higher in the access list.
statements Ensure that statements at the top of the ACL do not negate
any statements found lower in the list.
Directional filtering Always double-check the direction (inbound or outbound) of
the data that your ACL is filtering.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-22

 ACL Caveats (Cont.)

Statement Caveat
Modifying numbered Adding new statements may require that a new ACL be
ACLs created (Cisco IOS Release 12.2 and earlier).
Router-generated special If filtering router-generated packets is part of the security
packets policy, they must be acted upon by inbound ACLs on
adjacent routers or through other router filter mechanisms
using ACLs.
Extended ACL placement Always consider placing extended ACLs on routers as
close as possible to the source being filtered.
Standard ACL placement Always place standard ACLs as close to the destination as
possible.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-23

 ACL Editor—Access Rules

Configure > Additional Tasks > ACL Editor > Access Rules
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-24
 Standard Rule

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-25

 Associate with an Interface

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-26

 Extended Rule

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-27

 Associate with an Interface

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-28

 Routing Protocol Entries

r1(config)#access-list 120 permit eigrp host 192.168.1.1 any

r1(config)#access-list 120 permit ospf host 192.168.1.1 any
r1(config)#access-list 120 permit udp host 192.168.1.1 any eq rip

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-29

 IP Address Spoof Mitigation—Inbound

r1(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any

r1(config)#access-list 150 deny ip 10.0.0.0 0.255.255.255 any
r1(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any
r1(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any
r1(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any
r1(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any
r1(config)#access-list 150 deny ip host 255.255.255.255 any

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-30

 IP Address Spoof Mitigation—Outbound

r1(config)#access-list 105 permit ip 10.0.1.0 0.0.0.255 any

Be a good citizen and prevent your network from participating in

spoofing.
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-31
 Filtering ICMP Messages—Inbound

r1(config)#access-list 112 permit icmp any any echo-reply

r1(config)#access-list 112 permit icmp any any source-quench
r1(config)#access-list 112 permit icmp any any unreachable
r1(config)#access-list 112 deny icmp any any

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-32

 Filtering ICMP Messages—Outbound

r1(config)#access-list 114 permit icmp 16.2.1.0 0.0.0.255 any echo

r1(config)#access-list 114 permit icmp 16.2.1.0 0.0.0.255 any parameter-problem
r1(config)#access-list 114 permit icmp 16.2.1.0 0.0.0.255 any packet-too-big
r1(config)#access-list 114 permit icmp 16.2.1.0 0.0.0.255 any source-quench
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-33
 Permitting Common Services

r1(config)#access-list 122 permit udp any host 172.16.2.2 eq domain

r1(config)#access-list 122 permit tcp any host 172.16.2.2 eq smtp
r1(config)#access-list 122 permit tcp any host 172.16.2.2 eq ftp
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-34
 Router Service Traffic

r1(config)#access-list 180 permit tcp host 192.168.1.1 host 10.0.1.11 eq telnet

r1(config)#access-list 180 permit tcp host 192.168.1.1 host 10.0.1.11 eq 22
r1(config)#access-list 180 permit udp host 192.168.1.1 host 10.0.1.11 eq syslog
r1(config)#access-list 180 permit udp host 192.168.1.1 host 10.0.1.11 eq snmptrap
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-35
 Summary

 ACLs provide packet filtering for routers and firewalls to protect

internal networks from the outside world.
 In a wildcard bit mask, 0 means match the corresponding address
bit and 1 means ignore the corresponding address bit.
 You must apply packet filtering ACLs to a router interface for the
ACL to take effect.
 It is important to remember the implicit deny statement all at the
end of every ACL.
 ACLs can be used to block access to historically vulnerable
services.
 Cisco SDM can be used to configure detailed ACLs to address
any number of scenarios.

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-36

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—3-37