Named extended access lists


 

 

 

 

 

Introduction to this web page

This page contains two sample named extended access lists. Named access lists were introduced in IOS version 11.2. This list uses "remark" as a way of adding comments to the list. "Remark" was introduced in IOS version 12.

This list isn`t really complete, as it doesn`t allow any routing protocol into either interface. It also doesn`t have any information about other configuration settings of the router.

It isn`t a script as such, because it also shows the relevant prompt.

The list is based on the following network arrangement :-

 

The commands

 


router>	                        enable
router#                         config t
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list extended incoming-list
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended incoming-list
!
!
router(config-ext-nacl)#    remark **This list is for incoming packets**
!
!
!
router(config-ext-nacl)#    remark **This section blocks packets with source addresses
router(config-ext-nacl)#    remark   that should not exist on the open internet.**
!
!
router(config-ext-nacl)#    remark **This is the loopback address**
!
router(config-ext-nacl)#        deny ip 127.0.0.0 0.255.255.255 any
!
!
router(config-ext-nacl)#    remark **This is sometimes used to mean "this" host**
!
router(config-ext-nacl)#        deny ip 0.0.0.0 0.0.0.0 any
!
!
router(config-ext-nacl)#    remark **These are the IP addresses reserved by IANA**
!
router(config-ext-nacl)#        deny ip 10.0.0.0 0.255.255.255 any
router(config-ext-nacl)#        deny ip 172.16.0.0. 0.15.255.255 any
router(config-ext-nacl)#        deny ip 192.0.2.0 0.0.0.255 any
router(config-ext-nacl)#        deny ip 192.168.0.0. 0.0.255.255 any
router(config-ext-nacl)#        deny ip 240.0.0.0 7.255.255.255 any
router(config-ext-nacl)#        deny ip 224.0.0.0 15.255.255.255 any
!
router(config-ext-nacl)#    remark **This is our own secure subnet address**
!
router(config-ext-nacl)#        deny ip 12x.34.56.0 0.0.0.255 any
!
router(config-ext-nacl)#    remark **This is the network address of the network backbone,
router(config-ext-nacl)#    remark   and there are no hosts on this backbone, only routers**
!
router(config-ext-nacl)#        deny  tcp 12x.34.0.0 0.0.0.255 any
router(config-ext-nacl)#        deny  udp 12x.34.0.0 0.0.0.255 any
!
!
router(config-ext-nacl)#    remark **This section permits incoming packets with 
router(config-ext-nacl)#    remark   specific port numbers.**
!
!
router(config-ext-nacl)#    remark **In addition, some entries will only allow  
router(config-ext-nacl)#    remark   an incoming packet if it is part of an 
router(config-ext-nacl)#    remark   established tcp connection - `ack` or `rst`
router(config-ext-nacl)#    remark   is set. This is a simple form of stateful 
router(config-ext-nacl)#    remark   packet filtering.**
!
!
router(config-ext-nacl)#    remark **Telnet**
!
router(config-ext-nacl)#        permit tcp any eq 23 12x.34.56.0 0.0.0.255 established
!
router(config-ext-nacl)#    remark **DNS**
!
router(config-ext-nacl)#        permit tcp any eq 53 12x.34.56.0 0.0.0.255 established
!
router(config-ext-nacl)#    remark **HTTP**
!
router(config-ext-nacl)#        permit tcp any eq 80 12x.34.56.0 0.0.0.255 established
!
router(config-ext-nacl)#    remark **IMAP**
!
router(config-ext-nacl)#        permit tcp any eq 143 12x.34.56.0 0.0.0.255 established
!
router(config-ext-nacl)#    remark **HTTPS**
!
router(config-ext-nacl)#        permit tcp any eq 443 12x.34.56.0 0.0.0.255 established
!
router(config-ext-nacl)#    remark **HP printers*
!
router(config-ext-nacl)#        permit udp any eq 69 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 161 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 162 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp any range 9100:9102 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HP web admin*
!
router(config-ext-nacl)#        permit tcp any eq 8000 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 8000 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp any eq 8443 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 8443 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **These two sections allow NetBIOS only from
router(config-ext-nacl)#    remark   the two servers "Humpty" and "Dumpty" 
router(config-ext-nacl)#    remark   to any pc on the 12x.34.56.0 subnet**
!
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 137 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 137 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 138 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 138 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 139 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 139 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 137 12x.34.56.0 0.0.0.255 
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 137 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 138 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 138 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 139 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 139 12x.34.56.0 0.0.0.255
!
!
router(config-ext-nacl)#    remark **This section permits certain types of ICMP packets**
!
router(config-ext-nacl)#    remark **Allow Echo Reply packets - this could be dangerous, as 
router(config-ext-nacl)#    remark   we can`t do any kind of stateful filtering on them to 
router(config-ext-nacl)#    remark   link them to outgoing Echo Request packets**
!
router(config-ext-nacl)#        permit icmp any 12x.34.56.0 0.0.0.255 echo-reply
!
!
router(config-ext-nacl)#    remark **exit to the global configuration mode*
!
router(config-ext-nacl)#        exit
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list extended outgoing-list
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended outgoing-list
!
!
router(config-ext-nacl)#    remark **This list is for outgoing packets**
!
router(config-ext-nacl)#    remark **This section permits outgoing packets with 
router(config-ext-nacl)#    remark   specific port numbers.**
!
router(config-ext-nacl)#    remark **Because the source address is specified for  
router(config-ext-nacl)#    remark   every entry, packets with spoofed ip addresses
router(config-ext-nacl)#    remark   outside the secure subnet address range will
router(config-ext-nacl)#    remark   be blocked.**
!
!
router(config-ext-nacl)#    remark **Telnet**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 23
!
router(config-ext-nacl)#    remark **DNS**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 53
!
router(config-ext-nacl)#    remark **HTTP**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 80
!
router(config-ext-nacl)#    remark **IMAP**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 143
!
router(config-ext-nacl)#    remark **HTTPS**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 443
!
router(config-ext-nacl)#    remark **HP printers**
!
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 69
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 161
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 162
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any range 9100:9102
!
router(config-ext-nacl)#    remark **HP web admin**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 8000
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 8000
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 8443
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 8443
!
!
router(config-ext-nacl)#    remark **These two sections allow NetBIOS only to
router(config-ext-nacl)#    remark   the two servers "Humpty" and "Dumpty" 
router(config-ext-nacl)#    remark   from any pc on the 12x.34.56.0 subnet**
!
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 137
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 137
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 138
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 138
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 139
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 139
!
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 137
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 137
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 138
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 138
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 139
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 139
!
router(config-ext-nacl)#    remark **This section permits certain types of ICMP packets**
!
router(config-ext-nacl)#    remark **Allow Echo request packets**
!
router(config-ext-nacl)#        permit icmp 12x.34.56.0 0.0.0.255 any echo
!
!
router(config-ext-nacl)#    remark **Exit to the global configuration mode*
!
router(config-ext-nacl)#        exit
!
router(config)#             ! Configure the two interfaces, and associate the
router(config)#             ! access lists with them
!
router(config)#	                interface ethernet 0
router(config-if)#              ip address 12x.34.0.35 255.255.255.0
router(config-if)#              ip access-group incoming-list in
router(config-if)#              no shutdown
router(config-if)#              exit
!
router(config)#	                interface ethernet 1
router(config-if)#              ip address 12x.34.56.1 255.255.255.0
router(config-if)#              ip access-group outgoing-list in
router(config-if)#              no shutdown
router(config-if)#              exit
router(config)#                 exit
router#                         disable
router>

 


© 2005 Ron Turner


Return to the Cisco index page