Home > Cisco & Networking Related, Security > Securing Cisco Devices: Part I – ACLs

Securing Cisco Devices: Part I – ACLs

April 20th, 2009 Leave a comment Go to comments

Some think: I know all about ACLs. Right? Well, lets see.
I will not bother you with standard stuff which can be found on any how-to-use-an-acl-website.

Playing around with Sequence Numbers

You probably have noticed that since some IOS release you see some sequence numbers:

Router#sh access-lists
Standard IP access list 99
    10 permit 212.90.198.7
    20 permit 192.168.12.0, wildcard bits 0.0.0.255
    30 permit 193.100.0.0, wildcard bits 0.0.0.15
    40 deny   any

Your problem: You need to put another permit statment at the very beginning of the ACL.
The ACL is attached on an interface – you should know what happens if remove the ACL (no access-list 99; access-list 99 permit …) to update it. Yes: you will probably shoot yourself into the foot. Bad idea.

By using sequence numbers you can – guess what – add another sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#5 permit 1.1.1.1

Router#sh access-lists
Standard IP access list 99
5 permit 1.1.1.1
10 permit 212.90.198.7
20 permit 192.168.12.0, wildcard bits 0.0.0.255
30 permit 193.100.0.0, wildcard bits 0.0.0.15
40 deny   any

You can also remove a sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#no 5

In case you have no sequence numbers left where you want to put something in between, you may renumber / resequence the list:

Router(config)#ip access-list resequence 99 100 50
Router(config)#do sh access-list 99
Standard IP access list 99
100 permit 1.1.1.1
150 permit 212.90.198.7
200 permit 192.168.12.0, wildcard bits 0.0.0.255
250 permit 193.100.0.0, wildcard bits 0.0.0.15
300 deny   any

In this example 100 is the startnumber and 50 the step.

Access list & Interfaces?

If you want to know which access-lists are applied on a specific inteface: just ask your device!

Router#show ip access-lists interface loop22 
Extended IP access list T2 in
    10 permit tcp any host 1.2.3.4 eq smtp
Extended IP access list T1 out
    10 permit icmp any any

TCP-Flags & TTL

Cisco became more flexible in 12.4(something)T when you want to filter by TTL, DSCP values or even TCP flags:

Router(config)# ip access-list extended T3
Router(config-ext-nacl)#permit icmp any any ttl lt 20
Router(config-ext-nacl)#permit udp any any dscp af31
Router(config-ext-nacl)#permit tcp any any match-all +ack +fin -psh

The first example permits all ICMP packets with a TTL less or equal than 20, the second example matches any UDP traffic with a DSCP value of AF31 and the last example permits TCP traffic with an ACK, FIN but without any PSH bit set.

Using Objects?

If you’re used about using object groups: Cisco IOS 12.4(22)T is allowing to use it:

Router(config)#  ip access-list standard SERVERS
Router(config-std-nacl)#permit 1.1.1.1
Router(config-std-nacl)#permit 2.2.2.2
Router(config-std-nacl)#  ip access-list extended FWPOLICY 
Router(config-ext-nacl)#permit icmp any object-group SERVERS

Cisco ACL Editor

If you google around there are plenty of tools like FWBuilder or Gareth’s Cisco ACL Editor and Simulator which you may use to compile your access-list which fits your requirements.

  1. paul
    August 25th, 2009 at 06:48 | #1

    Hi Steven,
    This command did not work for me show ip access-lists interface loop22. It is not taking the interface part. 12.4(13a) is my version.

  2. September 3rd, 2009 at 21:55 | #2

    @paul
    probably, because this feature just exists in the T-train.

  3. Kathir
    May 15th, 2012 at 17:59 | #3

    the Topic “Using Objects?” is wrong.
    after “object-group” we can not apply acl directly.
    we have to create object-groups (two tyes-network, services) and we can apply.

  1. No trackbacks yet.