.
Manucomp Systems
Hours of Operation

Monday to Friday:
9am - 6pm EST

Saturday & Sunday:
Closed

If you would like additional information please contact us toll-free at :

1-866-440-1115
info@manucomp.com

Can't find the product you are looking for?
Request a quote.
Advanced Access Control Lists
Back to Cisco Tips
Assumptions:

internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101 access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102 access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

We will create an ACL that allows the users in our office to access the internet using a range of common ports. As you can see in the example above, we have been just specifying individual ports.

Port Ranges
In the example you see the letters 'eq' before the port is declared. This is short for 'equal to'. Other ones include:

· gt - Greater Than followed by the port number.

· lt - Less Than followed by the port number

· range - To specify an inclusive port range

after the keyword range put in the first port in the range followed by a space and then the last port in the range.

Commenting
As your access lists grow and become more complex it is a great idea to add comments. Adding a comment is as simple as beginning the comment line with an exclamation point.

Filter Masks
Using filter masks allow you to group IP Addresses together instead of having to specify each IP address individually. So for example, if you were to have five servers and all their addresses were 10.10.10.1 - 10.10.10.5 it is easy to grant or deny access to all 5 with only one line in the access list. If you have the addresses scattered you either have to make 5 separate entries or change the IPs of the servers.

The way you specify a group of IP addresses is very similar to how a subnet mask is used, except that the 1s and 0s are inversed. For example, all the web servers on our sample network fall in the subnet of 10.10.10.1 - 10.10.10.15 (if this was a subnet mask it would be: 255.255.255.240). We would never assign the servers this subnet mask because we want the workstations (using addresses 10.10.10.65-10.10.10.254) to talk directly to the servers. This prevents our router from being taxed. But now that we know the equivalent subnet mask for this ip block of servers, we can easily create the access-list filter mask, which is 0.0.0.15 As I mentioned earlier the filter mask is the opposite of the subnet mask. Here is how it looks in binary:

Note - If you put the servers and workstations on 2 different network blocks the router will have an insane amount of traffic to route. Definitely not a good idea.

With filter masks you can almost easily guess the correct value as long as the numbers in the filter mask are a power of 2 minus 1. IFor example, I know that my web servers aregrouped in the first 15 IP addresses. The smallest power of two that 15 can fit into is 16. Then subtract 1 and my filter mask is 0.0.0.15

 

      128 64 32 16|8 4 2 1  
SM 1 1 1 1 |0 0 0 0 = 240
FM 0 0 0 0 |1 1 1 1 = 15

Filter Masks in Access List
So if I wanted to permit all incoming web traffic requests to my web servers (To prevent any Internet access to Rogue web servers on employee's workstations). I would enter this line in the access list:

!Permit HTTP port 80 traffic  
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 80
!Permit HTTPS port 443 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 443