Firewall commands - access-list


Overview

Create an access list.


[no] access-list acl_name 
            [deny | permit] protocol 
            {source_addr | local_addr} 
            {source_mask | local_mask} operator port 
            {destination_addr | remote_addr}
            {destination_mask | remote_mask} operator port

access-list acl_name 
            [deny | permit] icmp
            {source_addr | local_addr} 
            {source_mask | local_mask} operator port 
            {destination_addr | remote_addr}
            {destination_mask | remote_mask} operator port icmp type

clear access-list [acl_name 
            [deny | permit] icmp
            {source_addr | local_addr} 
            {source_mask | local_mask} operator port 
            {destination_addr | remote_addr}
            {destination_mask | remote_mask} operator port icmp type]

show access-list


Syntax

acl_name Name of an access list. Use either a name or number.
deny Do not allow a packet to traverse the firewall. Used with the access-group command

By default, firewall denies all inbound or outbound packets unless you specifically permit access.

When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic.

permit When used with the access-group command, the permit option selects a packet to traverse the firewall. By default, firewall denies all inbound or outbound packets unless you specifically permit access.

When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements.

protocol Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP use the keyword ip.
source_addr Address of the network or host from which the packet is being sent. Use this field when an access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command.
source_mask Netmask bits (mask) to be applied to source_addr, if the source address is for a network mask.
local_addr Address of the network or host local to the firewall. Specify a local_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. The local_addr is the address after NAT has been performed.
local_mask Netmask bits (mask) to be applied to local_addr, if the local address is a network mask.
destination_addr IP address of the network or host to which the packet is being sent. Specify a destination_addr when the access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. For inbound connections, destination_addr is the address after NAT has been performed. For outbound connections, destination_addr is the address before NAT has been performed.
destination_mask Netmask bits (mask) to be applied to destination_addr, if the destination address is a network mask.
remote_addr IP address of the network or host remote to the firewall. specify a remote_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement.
remote_mask Netmask bits (mask) to be applied to remote_addr, if the remote address is a network mask.
operator A comparison operand that allows you to specify a port or a port range. Use without an operator and port to indicate all ports; for example.

access-list acl_out permit tcp any host 209.165.201.1

Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP.

access-list acl_out deny tcp any host 209.165.201.1 eq ftp

Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024).

access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025

Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535.

access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42

Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535.

access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10

Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created.

port

Services you permit or deny access to. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. Specify ports by either a literal name or a number in the range of 0 to 65535.

View valid port numbers online at

www.iana.org/assignments/port-numbers

icmp_type [Non-IPSec use only]—Permit or deny access to ICMP message types. Omit this option to mean all ICMP types.

ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored.


access-list

Specify if an IP address is permitted or denied access to a port or protocol.

Access lists associated with IPSec are known as "crypto access lists." By default, all access in an access list is denied. You must explicitly permit it.

Use the following guidelines for specifying a source, local, or destination address:

  1. Use a 32-bit quantity in four-part, dotted-decimal format.

  2. Use the keyword any as an abbreviation for an address and mask of 0.0.0.0 0.0.0.0. This keyword is normally not recommended for use with IPSec.

  3. Use host address as an abbreviation for a mask of 255.255.255.255.

Use the following guidelines for specifying a network mask:

  1. Do not specify a mask if the address is for a host; if the destination address is for a host, use the host parameter before the address; for example:

    access-list acl_grp permit tcp any host 192.168.1.1

  2. If the address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions you want to ignore.

  3. Use 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the appropriate network mask; for example.

      access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224

If appropriate, after you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it using crypto ipsec. In addition, you can bind an access list with the RADIUS authorization feature.

The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.

The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding access-group command from the configuration.

The aaa, crypto map, and icmp commands make use of the access-list command statements.


RADIUS Authorization Feature

The firewall allows a RADIUS server to send user group attributes to the firewall in the RADIUS authentication response message.

The administrator first defines access lists on the firewall for each user group. For example, there could be access lists for each department in an organization, sales, marketing, engineering, and so on. The administrator then defines each access list in the group profile in CiscoSecure.

After the firewall authenticates a user, it can then use the CiscoSecure acl attribute returned by the authentication server to identify an access list for a given user group. To maintain consistency, firewall also provides the same functionality for TACACS+

To restrict users in a department to three servers and deny everything else, the access-list command statements are as follows:

access-list eng permit ip any server1 255.255.255.255
access-list eng permit ip any server2 255.255.255.255
access-list eng permit ip any server3 255.255.255.255
access-list eng deny ip any any

In this example, the vendor specific attribute string in the CiscoSecure configuration has been set to acl=eng. Use this field in the CiscoSecure configuration to identify the access-list identification name. The firewall gets the acl=acl_name from CiscoSecure and extracts the ACL number from the attribute string, which it puts in a user's uauth entry. When a user tries to open a connection, firewall checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, firewall generates a corresponding syslog message. If there is no match, then the implicit rule is to deny.

Because the source IP of a given user can vary depending on where they are logging in from, set the source address in the access-list command statement to any, and the destination address to identify which network services the user is permitted or denied access to. If you want to specify that only users logging in from a given subnet may use the specified services, specify the subnet instead of using any. An access list used for RADIUS authorization does not require an access-group command to bind the statements to an interface.


RADIUS authorization

There is no radius option to the aaa authorization command. Follow these steps to enable RADIUS authorization:

  1. Enable RADIUS authentication with the aaa authentication command.

  2. Create the access-list command statements to specify what services hosts are authorized to use with RADIUS.

  3. To configure the authentication server with the vendor-specific acl=acl_name identifier to specify the access-list ID.

    When the firewall sends a request to the authentication server, it returns the acl=acl_name string, which tells firewall to use the access-list command statements to determine how RADIUS users are authorized.


Usage

  1. Configuration mode.

  2. The clear access-list command automatically unbinds an access list from a crypto map command or interface. The unbinding of an access list from a crypto map command can lead to a condition that discards all packets because the crypto map command statements referencing the access list are incomplete. To correct the condition, either define other access-list command statements to complete the crypto map command statements or remove the crypto map command statements that pertain to the access-list command statement. Refer to the crypto map command for more information.

  3. The access-list command operates on a first match basis.

  4. If you specify an access-list command statement and bind it to an interface with the access-group command statement, by default, all traffic inbound to that interface is denied. You must explicitly permit traffic. Note that "inbound" in this context means traffic passing through the interface, rather than the more typical firewall usage of inbound meaning traffic passing from a lower security level interface to a higher security level interface.

  5. Always permit access first and then deny access afterward. If the host entries match, then use a permit statement, otherwise use the default deny statement. You only need to specify additional deny statements if you need to deny specific hosts and permit everyone else.

  6. View security levels for interfaces with the show nameif command.

  7. The ICMP message type (icmp type) option is ignored in IPSec applications because the message type cannot be negotiated with ISAKMP.

  8. Only one access list can be bound to an interface using the access-group command.

  9. If you specify the permit option in the access list, the firewall continues to process the packet. If you specify the deny option in the access list, firewall discards the packet and generates the following syslog message.

    %PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_name

  10. Do not use the access-list command with the conduit and outbound commands. While using these commands together will work, the way in which these commands operate may cause debugging issues because the conduit and outbound commands operate from one interface to another whereas the access-list command used with the access-group command applies only to a single interface. If these commands must be used together, firewall evaluates the access-list command before checking the conduit and outbound commands.

  11. Refer to the Chapter 3, "Managing Network Access and Use" in the Cisco firewall and VPN Configuration Guide for a detailed description about using the access-list command to provide server access and to restrict outbound user access.

  12. Refer to the aaa-server radius-acctport and aaa-server radius-authport commands to verify or change port settings.


ICMP Message Types

[Non-IPSec use only]—If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command.

ICMP Type literals

ICMP Type literal
0 echo-reply
3 unreachable
4 source-quench
5 redirect
6 alternate-address
8 echo
9 router-advertisement
10 router-solicitation
11 time-exceeded
12 parameter-problem
13 timestamp-reply
14 timestamp-request
15 information-request
16 information-reply
17 mask-request
18 mask-reply
31 conversion-error
32 mobile-redirect

If you specify an ICMP message type for use with IPSec, firewall ignores it.

For example:

access-list 10 permit icmp any any echo-reply

IPSec is enabled such that a crypto map command references the acl_name for this access-list command, then the echo-repy ICMP message type is ignored.

Using the access-list Command with IPSec

If an access list is bound to an interface with the access-group command, the access list selects which traffic can traverse the firewall. When bound to a crypto map command statement, the access list selects which IP traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B. More information is available in the crypto map command section of this guide.

The access lists themselves are not specific to IPSec. It is the crypto map command statement referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.

Crypto access-lists associated with the IPSec crypto map command statement have these primary functions:

  • Select outbound traffic to be protected by IPSec (permit = protect).

  • Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations.

  • Process inbound traffic to filter out and discard traffic that IPSec protects.

  • Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. For a peer's initiated IPSec negotiation to be accepted, it must specify a data flow that is permitted by a crypto access list associated with an crypto map ipsec-isakmp entry.

Associate a crypto access list with an interface by defining the corresponding crypto map command statement and applying the crypto map set to an interface. Different access-lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting the firewall and the reverse direction to traffic entering the firewall.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access-lists to define the two different types of traffic. These different access-lists are then used in different crypto map entries that specify different IPSec policies.

Configure "mirror image" crypto access-lists for use by IPSec and that you avoid using the any keyword.

If you configure multiple statements for a given crypto access list, in general, the first permit statement matched, will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list command statement.

Some services such as FTP. two access-list command statements, one for port 10 and another for port 21, to properly encrypt FTP.

Examples

The following example creates a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command statement, firewall encrypts all IP traffic that is exchanged between the source and destination subnets.

access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0
access-group 101 in interface outside
crypto map mymap 10 match address 101

The next example only lets an ICMP message type of echo-reply be permitted into the outside interface:

access-list acl_out permit icmp any any echo-reply
access-group acl_out interface outside