This tutorial explains Cisco ACL’s with an example.
What is ACL
ACL, which stands for access control lists, is a security feature, which is available on routers and firewalls, which is used for access restriction based on information available in a TCP/IP packet like IP address, port numbers etc. The feature is configured based on requirements and is used to deny or permit TCP/IP packets based on IP networks, addresses and known applications.
TCP/IP Packet structure
A TCP/IP packet consists of 4 layers. An access control lists looks into the information in the transport and internet layer. This includes parameters like IP addresses and port numbers. A wireshark capture of a TCP/IP packet is shown below. The packet is a detailed analysis of the FTP protocol.
The IP header consists of two predominant fields which is the source and destination IP address. In the above capture, the source ip address is 192.168.1.25 and the destination IP address is 192.168.1.100.
The source port and the destination port are the two most predominant fields in the TCP header.
The source port 21 signifies FTP protocol and the destination port is a random port assigned by the operating system. ACL’s use these information to make decisions to deny or permit a particular packet.
Understanding packet directions
In the above diagram, when PC1 pings PC2, the source IP address in the packet would contain the IP address 192.168.1.2 and the destination IP address would contain the IP address 192.168.2.2. The packet first goes to E0, and then exits from the E1 interface before it reaches PC1.
When the packet hits the E0 interface, the direction of the packet is inbound to E0 interface as it is going towards the E0 interface. When the same packet exits the E1 interface, the direction of the packet is outbound from E1 as it is going away from the E1 interface. ACL’s works on the direction of the packet. There are predominantly two type of ACL’s, which are inbound and outbound.
Inbound ACL’s are used to permit or deny inbound packets and outbound ACL’s are used to permit or deny outbound packets. The detailed analysis of how ACL;s work is explained below.
Types of ACL
ACL implementations differ based on the type of the product vendor on which it is applied. Cisco platforms have standard and extended ACL’s. Standard ACL’s look into the source IP address in the IP header to make a decision. Extended ACL’s look into the source and destination IP address in the IP header, along with the port number in the transport layer header. Standard ACL’s are useful in scenarios when a specific host or network has to be allowed or denied. Extended ACL’s are useful in scenarios, where traffic to and from specific host or networks and to applications need to be allowed or denied.
How ACL’s work.
As IP addresses are configured with subnet masks, ACL;s is configured with wildcard masks. Wild card masks are used by ACL’s to identify, the parts in an IP address which is to be permitted or denied. The following example shows how wild card masks are used for allowing or blocking network addresses and host addresses.
Wild card masks
An ACL has to be configured which would deny packets from the network, 192.168.1.0/24. For this purpose, the wild card mask of 0.0.0.255 is used. When an IP packet arrives, the ACL would be look into the source address and apply the wild card mask. Assuming that the source address is 192.168.1.2, the first three octets are 0 in the wild card mask. This would make the ACL check and verify the first three octets in the IP address, to ensure that it matches with the required network address of 192.168.1 and the last octet is ignored, as 255 values, which is all 1’s in the last octet, would make the ACL ignore the bites in the last octet.
The end result would be that all hosts belonging to the 192.168.1.0 network would be denied. Similarly a wild card mask of 255.255.255.255 is used for allowing or blocking a host address.
Cisco ACL Configuration steps with example
The following are the steps which are followed for ACL configuration on a Cisco router. The first step is to create an acl with the required parameters. For example to block a network address, the acl number is provided along with the network address and the wild card mask. To block the network address 192.168.1.0/24 the following config is provided.
(config)#access-list 1 deny ip 192.168.1.0 0.0.0.255, where 1 is the access-list number, 192.168.1.0/24 is the network address and 0.0.0.255 is the wild card mask number. After the ACL is created, it is applied on the appropriate interface as inbound or outbound.
(config)#interface fastethernet 0/1
(config-if)#ip access-group 1 in.
In the above command the access list number 1 is created as inbound on the interface fastethernet 0/1.