if you work with Cisco routers, you’re more than likelyfamiliar with Cisco IOS access control lists (ACLs). But that doesn’t mean youknow all there is to know about these important gatekeepers. Access lists arean integral part of working with routers, and they’re vital to security.
Recently, a fellow network administrator asked me why his Cisco IOS access control lists (ACLs) weren’t working.
He was trying to use some advanced parameters in his ACLs, but something was going wrong.
I figured he couldn’t be the only one out there struggling with this problem. So, I decided to discuss the proper use of Cisco IOS ACL advanced parameters this week.
When it comes to ACL basics, you need to know the principle of the three Ps. That is, you can only apply a Cisco IOS ACL:
- Per protocol (such as IP)
- Per interface (such as FastEthernet0/0)
- Per direction (such as inbound or outbound)
When traffic flows through a router, there’s one set of source IP address, destination IP address, and port numbers.
When the response returns from that request, the IP source address, IP destination address, and port numbers have reversed.
For this reason, the inbound and outbound ACLs are usually a mirror of each other.
Now that we’ve covered this core principle of ACLs, let’s move on to some more advanced ACL parameters you can use.
Compiled (Turbo) ACL
If you have long and complex ACLs, I recommend enabling the Turbo ACL feature, available on newer routers with newer IOS versions. (The IOS disables this feature by default.)
With Turbo ACL, tables built into the router’s memory help the router speed the processing of traffic through ACLs.
Whenever you modify the ACLs, this triggers the router to recompile the ACL. Here’s how you enable Turbo ACLs:
[stextbox id="alert" color="ffffff" bcolor="00ff00" bgcolor="000000"]Router(config)# access-list compiled[/stextbox]
You can create ACLs that apply only for a certain time range.
For example, say you want to allow FTP traffic only from 8 A.M. to 5 P.M..
You could do this using time-based ACLs using the time-range parameter.
Here’s an example:[stextbox id="custom" color="ffffff" bcolor="0000ff" bgcolor="000000"]time-range ftp periodic weekdays 8:00 to 17:00 ip access-list extended ftpacl permit tcp any any eq ftp time-range ftp permit tcp any any eq ftp-data time-range ftp permit tcp any any eq www[/stextbox]
Another name for dynamic ACLs is lock and key. With lock and key,
you can trigger the creation of a dynamic ACL when you Telnet to the router.
For example, say you want to allow HTTPS to a LAN switch through a router.
Telnetting to the router creates a temporary/dynamic
ACL to allow this traffic for a limited time.
To do so, you use the dynamic parameter.
Here’s an example:
[stextbox id=”custom” color=”ffffff” bcolor=”0000cc” bgcolor=”000000″]Router(config)# access-list 125 dynamic ….[/stextbox]
In addition, using the autocommand access-enable command on the Telnet line will trigger the ACL.
For more information, check out Cisco’s Configuring Lock-and-Key Security (Dynamic Access Lists) documentation.
ACLs that only allow established TCP connections
Another interesting parameter for Cisco IOS ACLs is the established option.
With the established parameter,
you can create an ACL that only allows TCP traffic matching the ACL that has an ACK or RST bit set.
That would deny any TCP traffic trying to create a new TCP session. Here’s an example:
[stextbox id=”custom”]Router(config)# access-list 120 permit tcp any 220.127.116.11 0.0.0.255 established[/stextbox]
This line, taken from a larger ACL, permits only TCP traffic going to the 18.104.22.168 network that’s already established.
So, it only permits responses to connections already initiated (i.e., set up) in the opposite direction.
This is similar to a stateless firewall that allows already-connected traffic;
however, in this situation, we don’t know what that traffic actually is. We’re assuming that any TCP response we receive was a real request.
One final best practice for ACLs is to always use the remark keyword to make comments in your ACLs.
This practice allows other network admins (and even yourself) to know the purpose of the ACL and how it works.
Cisco IOS ACLs offer many advanced features.
With ACLs so heavily used on Cisco routers, it’s important to not only know the basics but be able to use some of the more advanced features as well.