INTERNATIONAL JOURNAL OF NETWORK MANAGEMENTInt. J. Network Mgmt. 9, 151–154 (1999)

Working with Cisco Access Lists

By Gilbert HeldŁ

The first line of defense of a network is accomplished through the creationof a router access list. This paper examines the creation and application ofCisco access lists and explains why they must be applied to an interface togo into effect. Copyright 1999 John Wiley & Sons, Ltd.

O ne of the more famous quotationsof General Douglas MacArthur was‘in war there is no substitute for

victory’. While the famous general passed onprior to the explosion in the use of theInternet, we can paraphrase his quotation formodern communications by saying that ‘forInternet security there is no substitute fora firewall’. Unfortunately, many organizationsthat are connecting numerous geographicallyseparated locations to the Internet cannot affordto install a firewall at each location. While thisinability to install numerous firewalls is primarilya financial decision, it can also reflect a personnelresource decision. The installation, operation,and maintenance associated with firewalls canrapidly consume the time of network technicians,adversely effecting their ability to perform othernetwork-related functions. Recognizing the factthat although firewalls can provide a significantlevel of protection their use may be impractical,organizations are re-examining the use of routeraccess lists as a protection mechanism.

In this article I will focus my attention on Ciscoaccess lists. Although many vendors manufacturerouters, with some providing equivalent to supe-rior performance to Cisco products, it is a fact oflife that Cisco systems routers currently dominatethe market for Internet access. However, otherrouter vendors incorporate an equivalent accesslist capability which primarily differs from Ciscoequipment in the syntax of access list commands.Thus, while the general information presented inthis article is applicable to all routers supporting

an access list capability, the specific router config-urations are only applicable to Cisco routers.

Access List OverviewAn access list represents a sequential group

of permit and deny conditions. By itself anaccess list has no effect upon the operation of arouter. To become effective the access list mustbe applied to an interface, a process referred toas effecting a policy. Unfortunately, one of themore common security holes results from personsinitially constructing an access list failing to applythe list to an interface.

U nfortunately, one of the more commonsecurity holes results from persons

initially constructing an access list failing toapply the list to an interface.

The construction of an access list requires youto configure your router. To do so you shouldbe in the router’s privileged mode by enteringthe command ‘enable’ and the appropriate routerpassword. Once this is accomplished, you willreceive the prompt ‘router#’, with the pound sign(#) used to signify you are in the router’s privilegedmode of operation.

Although you can enter commands on aline-by-line basis, you should probably considercreating your access lists using a text editor or word

Gilbert Held is the Editor-in-Chief of the International Journal of Network Management.

ŁCorrespondence to: Gilbert Held, 4-Degree Consulting, 4736 Oxford Road, Macon, GA 31210, USA.

Email: 235-8068@mcimail.com

Copyright 1999 John Wiley & Sons, Ltd. CCC 1055–7148/99/030151–04$17.50

152 GILBERT HELD

processor and saving the list as an ASCII file. Oncethis is accomplished you can then upload yourconfiguration via a telnet connection or via a PC tothe serial port of the router. Concerning the latter,it is important to note that many Cisco router con-sole ports have a DB-15 connector and function as aDTE interface. This means you will need a DB-15 toDB-25 cross-over cable, since the serial port of PCSand other terminal devices also function as DTEs.

Types of Access ListsCisco routers support two types of access

lists—standard and extended. A standard accesslist is used to permit or deny data flow based uponan address. In comparison, an extended accesslist enables permission and denial of data flowto be extended to specific protocols or groups ofprotocols. Although access lists can be configuredto support a number of protocols, I will focusmy attention on the TCP/IP protocol suite in thisarticle since that is the only protocol supported bythe Internet.

Standard Access ListThe command format or syntax for an access list

is as follows:

Access-list list# fpermit—denygsource source-mask

The list# represents an integer between 1 and 99which you will use to define one or more permitand/or deny condition(s) as being in an access list.Source represents the source IP address definedin dotted decimal notation, while source-maskprovides you with the ability to denote wildcardsby setting appropriate bits in the source-mask.Similar to the source, the source-mask is alsoentered in dotted-decimal notation.

A source-mask of 0.0.0.0 is implied, which meansthat the permit or deny condition is then applicableto a specific address. By setting appropriate bits inthe source-mask you can create different wildcardeffects. For example, since a Class C address usesthree bytes for the network portion and one bytefor the host portion of an address, you can createa wildcard for all hosts on a Class C network byentering the network address for the source entryand the source-mask of 0.0.0.255. Since my oldprofessor’s expression ‘the proof of the pudding

is in the eating’ is as appropriate to access listsas to the turbine course he taught, let’s turn ourattention to a few examples.

Figure 1 illustrates a small Class C networkwith two servers and a number of workstationsconnected to the Internet. In this example, thenetwork has the IP address of 205.131.73.0, whileeach server has the address 205.131.73.15 and205.131.75.23, respectively.

To illustrate the use of access lists, let’s assumeyour organization has another location connectedto the Internet. Let’s further assume that that loca-tion has the Class C network address 205.137.141.0and you desire to allow any host on that net-work access to either server on your 205.131.73.0network.

When working with Cisco access lists it isimportant to note that access list 0 is a predefineddefault list. That access list permits all IP addressesand represents the default access list for everyrouter interface. It is also important to note youcan apply an access list to a particular interface. Todo so you would use the ip access-group commandwhose format is as follows:

ip access-group list#

Returning to our network example, you can enterthe following access list configuration commands:

access-list 5 permit 205.137.141.0 0.0.0.255access-list 5 deny 0.0.0.0 255.255.255.255

The first command entry takes advantage of the factthat address bits that are set to 1 in the source-maskcorrespond to a wildcard and are ignored in thecomparison. Thus, the source mask of 0.0.0.255 tellsthe router to ignore the host portion of the class Cnetwork address of 205.137.141.0. The secondcommand entry can be left off as each IP accesslist implicitly denies all other access. However,it is quite customary to include this redundantcommand as it can serve as an indication of the endof the list. Now that we have a general appreciationfor the use of the standard access list, let’s turn ourattention to the use of extended access lists.

Extended Access ListsIn our previous example the use of a standard

access list only allowed permit/deny operations tobe based upon IP addresses. In today’s computingand communications environment, many servers

Copyright 1999 John Wiley & Sons, Ltd. Int. J. Network Mgmt. 9, 151 – 154 (1999)

WORKING WITH CISCO ACCESS LISTS 153

Figure 1. Connecting a LAN to the Internet

perform multiple tasks, creating a requirementto enable or disable access to different servicessupported by a server. In addition, workstationusers may have certain restrictions associated withtheir ability to perform different tasks, either bypolicy or due to technical issues. As an exampleof server services, many Internet Web servers canalso be configured to support Telnet, FTP, Gopher,and other applications. However, you may wish toplace controls on the ability of different locationsas well as the general population of personswith Internet access to access each application.Similarly, you may wish to restrict the ability ofdifferent workstation users to surf the Web, send orreceive email, transfer files via FTP, and performother IP applications. To accomplish such tasksrequires the use of one or more extended access listswhich extend a router’s filtering capability from IPaddresses to protocol and port number filtering.The general format or syntax of an extended accesslist is as follows:

access-list list# fpermit—denyg protocol sourcesource-mask destination destination-mask[operator operand] [established]

When using extended access lists, the list numbermust be between 100 and 199. The protocolsource represents the Internet source IP addressin dotted decimal notation and the source maskfunctions as previously described. The destinationand destination-mask represent dotted-decimal IPaddresses which enable you to configure the routerto perform filtering based upon the destinationaddress of each packet. The protocol entry permitsyou to specify a protocol for matching, suchas TCP, UDP, ICMP, or IP, the latter being allinclusive. The optional arguments ‘operator’ and‘operand’ provide you with the ability to furtherdefine router filtering by using such operators as‘lt’, ‘gt’, ‘eq’, and ‘neg’ against port numbers. Forexample, suppose server 2 in Figure 1 is a Webserver and you only want to permit Internet accessto that device. You would then enter the followingextended access list:

Access-list 110 permit tcp 0.0.0.0 0.0.0.0205.131.73.23 0.0.0.0 eq 80

In this example 80 represents the port used byHTTP.

Copyright 1999 John Wiley & Sons, Ltd. Int. J. Network Mgmt. 9, 151 – 154 (1999)

154 GILBERT HELD

Depending upon the version of software sup-ported by your router, you may be able to con-siderably simplify your extended access list. Forexample, under certain versions of Cisco softwarethe keywords ‘any host’ can be used to replacethe entry ‘0.0.0.0 0.0.0.0?’ Since a default destina-tion mask of 0.0.0.0 is assumed, you could furtherreduce your extended access list to the followingentry:

access-list 110 permit tcp any host205.131.73.23 eq 80

One additional keyword in the extended accesslist, ‘established’, is only applicable for the TCPprotocol. When added to an extended accesslist, established causes a match to occur if a TCPdatagram has an ACK or RST bit set, indicatingan established connection. When no match occurson a TCP datagram that meets the other criteriain an access list, this would represent the initialTCP datagram used to form a connection, andaccess list processing would skip the commandand examine other command entries in your accesslist to determine if a connection is permitted.

Putting It TogetherNow that we have a general appreciation of the

format and use of standard and extended accesslists, let’s extend our knowledge by configuring bi-directional filters to control both access to server 2from the Internet community as well as the abilityof users on the LAN to surf the net. Concerningthe latter, let’s assume you want to enable theinternal users on your LAN, with the exceptionof server 1, to establish TCP connections to anyhost connected to the Internet. Because the routerillustrated in Figure 1 has two ports, you canestablish an access list to control the data flowon each interface. Because data is received via theInternet, you can associate the serial port with oneaccess list. Since you want to restrict data flowfrom your Ethernet LAN, you can set up a secondaccess list and associate that list to the router’sEthernet interface. For example, your first accesslist to permit inbound data to server 2 and associatethe access list to the serial port would be enteredas follows:

access-list 110 permit tcp anyhost205.131.73.23 eq 80

interface serial 0ip access-group 110

To control communications from your Ethernetto the Internet, you could enter the following routercommands:

access-list 120 deny tcp 205.131.73.15access-list 120 permit tcp 205.131.73.0255.255.255.255interface ethernet 0ip access-group 120

In the preceding example note that you first denyhost 205.131.73.15 from transmitting TCP data-grams. Because no source-mask is specified, adefault of 0.0.0.0 is implied, which means thatdenial is only applicable to that host. Becauseaccess lists are processed top-down, the next com-mand permits all network 205 hosts to transferdatagrams; however, since host 15 was previouslydenied, the two command line entries in effect per-mit all hosts other than host 15 from transmittingTCP datagrams to the Internet. Finally, the ‘inter-face’ and ‘ip access-group’ commands apply accesslist 120 to the Ethernet interface.

SummaryWhile this brief introduction is not intended

to replace a detailed examination of appropriaterouter manuals, it was written to provide you withsome examples of the ease of creating and applyingaccess lists. By carefully constructing appropriaterouter access lists you can create a simple barrierto data flow that may be sufficient to meet yourorganization’s requirements in a timely and costeffective manner. Although I can again paraphraseGeneral MacArthur by stating that, with respect toInternet security, ‘there is no substitute for a fire-wall’, organizations requiring 10, 20, or 50 or moreInternet connections to provide e-mail access andWeb browsing to employees may elect to dependupon router access lists. By carefully examiningyour organization’s communications requirementsyou may determine that access lists may be suffi-cient to satisfy your networking requirements. �

If you wish to order reprints for this or anyother articles in the International Journal ofNetwork Management, please see the SpecialReprint instructions inside the front cover.

Copyright 1999 John Wiley & Sons, Ltd. Int. J. Network Mgmt. 9, 151 – 154 (1999)