Recently, a fellow network administrator asked me why his Cisco IOS access control lists (ACLs) weren't working. He was trying to use some advanced parameters in his ACLs, but something was going wrong.
I figured he couldn't be the only one out there struggling with this problem. So, I decided to discuss the proper use of Cisco IOS ACL advanced parameters this week.
The basics of Cisco IOS ACLs
Cisco IOS ACLs can be complex to configure, but it doesn't have to be so difficult. Here are some resources to help:
- "Cisco IOS access lists: 10 things you should know"
- Video: Harden your Cisco router with IOS ACLs
- Cisco's ACL command reference
When it comes to ACL basics, you need to know the principle of the three Ps. That is, you can only apply a Cisco IOS ACL:
- Per protocol (such as IP)
- Per interface (such as FastEthernet0/0)
- Per direction (such as inbound or outbound)
When traffic flows through a router, there's one set of source IP address, destination IP address, and port numbers. When the response returns from that request, the IP source address, IP destination address, and port numbers have reversed. For this reason, the inbound and outbound ACLs are usually a mirror of each other.
Now that we've covered this core principle of ACLs, let's move on to some more advanced ACL parameters you can use.
Compiled (Turbo) ACL
If you have long and complex ACLs, I recommend enabling the Turbo ACL feature, available on newer routers with newer IOS versions. (The IOS disables this feature by default.)
With Turbo ACL, tables built into the router's memory help the router speed the processing of traffic through ACLs. Whenever you modify the ACLs, this triggers the router to recompile the ACL. Here's how you enable Turbo ACLs:
Router(config)# access-list compiled
You can create ACLs that apply only for a certain time range. For example, say you want to allow FTP traffic only from 8 A.M. to 5 P.M.. You could do this using time-based ACLs using the time-range parameter. Here's an example:
periodic weekdays 8:00 to 17:00
ip access-list extended ftpacl
permit tcp any any eq ftp time-range ftp
permit tcp any any eq ftp-data time-range ftppermit tcp any any eq www
Another name for dynamic ACLs is lock and key. With lock and key, you can trigger the creation of a dynamic ACL when you Telnet to the router. For example, say you want to allow HTTPS to a LAN switch through a router. Telnetting to the router creates a temporary/dynamic ACL to allow this traffic for a limited time.
To do so, you use the dynamic parameter. Here's an example:
Router(config)# access-list 125 dynamic ....
In addition, using the autocommand access-enable command on the Telnet line will trigger the ACL. For more information, check out Cisco's Configuring Lock-and-Key Security (Dynamic Access Lists) documentation.
ACLs that only allow established TCP connections
Another interesting parameter for Cisco IOS ACLs is the established option. With the established parameter, you can create an ACL that only allows TCP traffic matching the ACL that has an ACK or RST bit set. That would deny any TCP traffic trying to create a new TCP session. Here's an example:
Router(config)# access-list 120 permit tcp any 126.96.36.199 0.0.0.255 established
This line, taken from a larger ACL, permits only TCP traffic going to the 188.8.131.52 network that's already established. So, it only permits responses to connections already initiated (i.e., set up) in the opposite direction.
This is similar to a stateless firewall that allows already-connected traffic; however, in this situation, we don't know what that traffic actually is. We're assuming that any TCP response we receive was a real request.
One final best practice for ACLs is to always use the remark keyword to make comments in your ACLs. This practice allows other network admins (and even yourself) to know the purpose of the ACL and how it works.
Cisco IOS ACLs offer many advanced features. With ACLs so heavily used on Cisco routers, it's important to not only know the basics but be able to use some of the more advanced features as well.
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!