Back to Basics : Access-Lists and Types
Today I am going to talk about the Access Lists and how we can use that access lists in our network. These Access lists are used in many ways. We have different ways to use it and we also have different configurations for different Access Lists.
Before we start with the various access lists, let's talk about what the Access Lists actual are and why they are used. So answer to your question is Access-List is the way to filter the IP packets entering to the network. So with the use of Access-Lists you can permit or deny the IP packets on the base of IPs, Names, protocols and so on and the routing table decide the traffic routing on the basis of the set of rules we authorised.
Below is just a Sample diagram showing using the Access-Lists and has no relevance with any of the configuration used below.
We have different kinds of Access-lists and I am taking a short note and the configuration part of these access-lists one by one. These access-lists are :
Let's start one by one with short description and followed by configuration of the Access-Lists. The IP addresses and the interfaces used in below mentioned examples are just for the explanation purposes and has no relevance with any of the live and the enterprise network environment.
Before we start with the various access lists, let's talk about what the Access Lists actual are and why they are used. So answer to your question is Access-List is the way to filter the IP packets entering to the network. So with the use of Access-Lists you can permit or deny the IP packets on the base of IPs, Names, protocols and so on and the routing table decide the traffic routing on the basis of the set of rules we authorised.
Below is just a Sample diagram showing using the Access-Lists and has no relevance with any of the configuration used below.
 |
| Sample Diagram showing Access-Lists |
We have different kinds of Access-lists and I am taking a short note and the configuration part of these access-lists one by one. These access-lists are :
- Standard Access-Lists
- Extended Access-Lists
- IP Named Access-Lists
- Lock and Key Access-Lists
- Reflexive access-Lists
- Context-Based Access Control
- Turbo Access-Lists
Let's start one by one with short description and followed by configuration of the Access-Lists. The IP addresses and the interfaces used in below mentioned examples are just for the explanation purposes and has no relevance with any of the live and the enterprise network environment.
Standard Access-Lists
Standard Access-Lists control traffic by using or comparing the source address in the IP packets to the addresses configured in the ACL. The range is from 1-99. Below is the configuration of the Standard Access-List
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 1 in
access-list 1 permit 10.1.1.0 0.0.0.255
!
Extended ACLs
Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL. The range is from 101-199. Below is the configuration of the Extended Access-List
!
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip access-group 101 in
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo
access-list 101 permit ip any 10.1.1.0 0.0.0.255
!
IP Named Access-Lists
This allows standard and extended ACLs to be given names instead of numbers. Below is the configurational example showing how to configure it in the network.
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group in_to_out in
!
ip access-list extended in_to_out
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
!
Lock and Key Access-Lists
Lock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic. Lock-and-key is configured using IP dynamic extended access lists. Lock-and-key can be used in conjunction with other standard access lists and static extended access lists. Below is the configurational example showing how to configure it in the network.
!
interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host 172.18.21.2 eq telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0
login local
autocommand access-enable timeout 5
!
Reflexive Access-Lists
Reflexive access lists contain condition statements (entries) that define criteria for permitting IP packets. These entries are evaluated in order, and when a match occurs, no more entries are evaluated. Below is the configurational example showing how to configure it in the network.
!
ip reflexive-list timeout 120
!
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip access-list extended inboundfilters
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate tcptraffic
!
ip access-list extended outboundfilters
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
!
Context-Based Access Control
CBAC inspects traffic that travels through the firewall in order to discover and manage state information for TCP and UDP sessions. This state information is used in order to create temporary openings in the access lists of the firewall. Below is the configurational example showing how to configure it in the network.
!
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw udp timeout 3600
ip inspect name myfw tftp timeout 3600
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip access-group 111 in
ip inspect myfw out
!
access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo
access-list 111 permit icmp any 10.1.1.0 0.0.0.255
!
Turbo Access-Lists
The turbo ACL feature is designed in order to process ACLs more efficiently in order to improve router performance.Below is the configurational example showing how to configure it in the network.
Use the access-list compiled command for turbo ACLs. This is an example of a compiled ACL.
!
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq ftp
access-list 101 permit udp host 10.1.1.2 host 172.16.1.1 eq syslog
access-list 101 permit udp host 10.1.1.2 host 172.16.1.1 eq tftp
access-list 101 permit udp host 10.1.1.2 host 172.16.1.1 eq ntp
!
