Securing Cisco Devices: Part I – ACLs
Some think: I know all about ACLs. Right? Well, lets see.
I will not bother you with standard stuff which can be found on any how-to-use-an-acl-website.
Playing around with Sequence Numbers
You probably have noticed that since some IOS release you see some sequence numbers:
Router#sh access-lists Standard IP access list 99 10 permit 212.90.198.7 20 permit 192.168.12.0, wildcard bits 0.0.0.255 30 permit 193.100.0.0, wildcard bits 0.0.0.15 40 deny any
Your problem: You need to put another permit statment at the very beginning of the ACL.
The ACL is attached on an interface – you should know what happens if remove the ACL (no access-list 99; access-list 99 permit …) to update it. Yes: you will probably shoot yourself into the foot. Bad idea.
By using sequence numbers you can – guess what – add another sequence:
Router(config)#ip access-list standard 99 Router(config-std-nacl)#5 permit 1.1.1.1 Router#sh access-lists Standard IP access list 99 5 permit 1.1.1.1 10 permit 212.90.198.7 20 permit 192.168.12.0, wildcard bits 0.0.0.255 30 permit 193.100.0.0, wildcard bits 0.0.0.15 40 deny any
You can also remove a sequence:
Router(config)#ip access-list standard 99 Router(config-std-nacl)#no 5
In case you have no sequence numbers left where you want to put something in between, you may renumber / resequence the list:
Router(config)#ip access-list resequence 99 100 50 Router(config)#do sh access-list 99 Standard IP access list 99 100 permit 1.1.1.1 150 permit 212.90.198.7 200 permit 192.168.12.0, wildcard bits 0.0.0.255 250 permit 193.100.0.0, wildcard bits 0.0.0.15 300 deny any
In this example 100 is the startnumber and 50 the step.
Access list & Interfaces?
If you want to know which access-lists are applied on a specific inteface: just ask your device!
Router#show ip access-lists interface loop22 Extended IP access list T2 in 10 permit tcp any host 1.2.3.4 eq smtp Extended IP access list T1 out 10 permit icmp any any
TCP-Flags & TTL
Cisco became more flexible in 12.4(something)T when you want to filter by TTL, DSCP values or even TCP flags:
Router(config)# ip access-list extended T3 Router(config-ext-nacl)#permit icmp any any ttl lt 20 Router(config-ext-nacl)#permit udp any any dscp af31 Router(config-ext-nacl)#permit tcp any any match-all +ack +fin -psh
The first example permits all ICMP packets with a TTL less or equal than 20, the second example matches any UDP traffic with a DSCP value of AF31 and the last example permits TCP traffic with an ACK, FIN but without any PSH bit set.
Using Objects?
If you’re used about using object groups: Cisco IOS 12.4(22)T is allowing to use it:
Router(config)# ip access-list standard SERVERS Router(config-std-nacl)#permit 1.1.1.1 Router(config-std-nacl)#permit 2.2.2.2 Router(config-std-nacl)# ip access-list extended FWPOLICY Router(config-ext-nacl)#permit icmp any object-group SERVERS
Cisco ACL Editor
If you google around there are plenty of tools like FWBuilder or Gareth’s Cisco ACL Editor and Simulator which you may use to compile your access-list which fits your requirements.