The Quick Definition: Access lists (also known as access control or router lists) are used to regulate traffic entering and leaving networks. Access lists can be set up for all protocols, including IP.
What is an extended access listing?
Extended Access Control Lists, or ACLs, are the gatekeepers of your network. They allow or deny traffic depending on protocol, port number and source. There are many customization options. This example will show you how to use ACLs in order to prevent a particular source from accessing a targeted computer via certain ports.
How to set up an ACL
Imagine a computer (192.168.1.50 as illustrated) trying to gain unauthorized access to 192.168.2.50 via HTTPS and HTTPS — and that you want it to stop.
You don’t want all traffic between these IP addresses to be stopped. This will result in a network outage. Instead, limit traffic between ports. HTTP is port 80. HTTPS is port 443.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start training
First, you need to identify the source IP address. In this case, it is the unauthorized 192.168.1.50. You will first need to block traffic from that IP address. This can be done with a wildcard filter, which acts as a filter within the source subgroup.
In another post, you can learn more about wildcard masks. In this example, it is important to know that entering 0.0.0.0 here will prevent access from any octets of the IP address. This would block all access attempts from the subnet 192.168.1. However, the illustrated example only has one host. If you enter “host”, it doesn’t ask for a mask, but instead asks you for a destination.
Setting the Destination
Once the target has been identified, it is time to enter the restricted destination. This ACL, in its current form will block all TCP traffic between the 192.168.1.50 address and the 192.168.2.50 address. You don’t want that. This is where port-specific functionality comes in handy.
These statements will deny ports access to your network.
Router1# conf
Router1 (config)# access-list 150 host 192.168.1.15 deny tcp eq 80
Router1 (config)# access-list 150 denial tcp host 192.168.2.50 eq 443
The first statement blocks the target at port80 of the destination. The second statement repeats this process for HTTPS. This is port 443. The keyword “EQ”, which stands for equal to, allows you to enter specific ports.
To verify the list, call the list (“Show Access List”) and you will get the two new statements.
Router1(config)#do sh access-list 150
Extended IP access list 150
10 deny tcp 192.168.1.50 host 192.168.2.50 eq www
20 deny tcp 192.168.1.50 host 192.168.2.50 eq 443.
The first statement denies that the first host can connect with the second via port 80 (HTTP), while the second denies that same using port 443(HTTPS). The ACL now contains the necessary instructions. The configuration isn’t finished and cannot be applied to an interface.
Negating the “Deny All”
An ‘Implicit DeNY ALL’ statement is located at the end of each ACL. This statement is not displayed in the configuration, nor when you run the “show access-list” command. It is ALWAYS there. If you add the two above deny statements, the implicit deny statement will block access and cause a network outage. This can be fixed by adding a permit statement to the ACL.
Bring up Access List 150 (the number assigned for this list) and add “Permit”. Configure the permit so that IP from any source can be included at any destination address. Allowing all variations in the statement means that the “deny all” function is no longer necessary and will cause an outage. Instead, the only two deny statements that you have created will apply and all traffic will be allowed.
R
Networking Basics: Configuring Extended Acces Lists on Cisco Routers