Extended Access Control Lists
Extended ACLs are more flexible than standard ACLs. They allow you greater control over the incoming and outgoing traffic on your network. You can not only specify a source addresses but destination addresses too, as well as the type of traffic you want to permit or deny.
Extended ACLs
Extended ACLs, just like standard ACLs allow you to permit or deny traffic from specific source IP addresses. However, extended ACLs are more particular because you can also specify whether the destination IP address is allowed to receive the traffic or not.
Even better , you can permit or deny traffic depending on the type of traffic; for example, TCP, UDP ICMP etc. Thus, extended ACLs are much more powerful than standard ACLs. In fact, the granularity of extended ACLs is such that you can use them as a packet filtering firewall to protect your network.
Before proceeding further, let's freshen up on the standard TCP and UDP port numbers.
TCP Port |
Protocol |
|
UDP Port |
Protocol |
21 |
FTP |
|
53 |
DNS |
23 |
Telnet |
|
69 |
TFTP |
25 |
SMTP (mail) |
|
161 |
SNMP |
80 |
HTTP |
|
|
|
443 |
Secure HTTP |
|
|
|
80 |
Not equal to |
|
|
|
It is useful to know the standard port numbers when configuring ACL's, so try this activity to see how many you can remember.
~~Activity~~
Activity C |
Flip Card activity on TCP and UDP port numbers. |
Typically, when securing a network you would allow outgoing traffic but block incoming traffic. Of course, you might want to block your users from accessing certain sites on the Internet or stop them using particular ports so that Kazaa, messenger services, FTP etc. are blocked. However, your main concern will be to stop anyone on the Internet or other networks being able to access your internal network. If you have servers that are meant to be accessed by users on the Internet, then you would block all incoming traffic from the Internet, except the specific traffic meant for your servers.
Let's have an example:-
access-list 101 permit tcp any host 200.200.9.1 eq 80
This ACL permits traffic arriving from any source to reach a particular host with the IP address 200.200.9.0, provided the traffic type is TCP and it is destined for port 80 on the host. To remind you, typically web servers listen on port 80, so this ACL is probably meant to allow external traffic access to a web server. All other types of traffic would be denied due to the implicit deny statement at the end of every ACL.
Let's have another example:-
access-list 101 permit tcp 200.200.9.0 0.0.0.255 any eq 80
This ACL permits traffic originating from the 200.200.9.0 network to communicate with any host, providing the traffic type is TCP and it is destined for port 80 on the destination host. You might use an ACL similar to this to allow users on your network access to web servers on the Internet. This would allow them to browse web pages and nothing else.
A couple more examples:
access-list 101 deny tcp 172.16.5.0 0.0.0.255 any eq 23
access-list 101 deny tcp any host 200.200.10.5 lt 1025
The first statement stops network 172.15.5.0/24 from receiving Telnet traffic.
The second statement stops traffic from any network reaching host 200.200.20.5 if the destination port is less than 1025. The 'lt' means 'less than' . Here are two more examples:-
access-list 101 permit tcp any host 200.200.10.5 neq 21
access-list 101 deny tcp any 200.200.10.0 0.0.0.255 gt 25
The first statement allows traffic from any network to host 200.200.10.5 provided it is not intended for destination port 21. The 'neq' means 'not equal to' .
The second statement denies incoming traffic to network 200.200.20.0 from anywhere if the destination TCP port number is greater than 25. The 'gt' means 'greater than' .
Established Traffic
Do you recall the TCP three-way handshake? A host that initiates communication with another host first sends a packet with the SYN flag set. Then the receiving host sends a SYN-ACK back. The originating host then send a SYN-ACK to finalize the handshake.
So the sequence is:-
What do you suppose would happen if a rogue computer skipped the SYN part and sent a SYN-ACK packet first? A router running an ACL might think that the rogue computer was just responding to a communication from a host on the inside of the network and it might just allow the packet IN. In other words, the rogue computer would have initiated the communication from outside your network with a host or device inside your network.
To stop this sort of activity you use the established command. Here's an example:-
access-list 101 permit tcp any 200.200.9.0 0.0.0.255 established
This only permits incoming traffic to the 200.200.9.0 network if the connection was first initiated from a host inside the network, such as when a website is replying to the host. Any external host that tries to initiate a connection into the network from outside is rejected.
~~Activity~~
|