topic Re: ACL Access Control Lists in Network Security

ACL Access Control Lists

jk865 — Mon, 03 Jan 2022 09:50:56 GMT

Just a simple question when using numbered ACLs is there any significance to the number or should it just be within the specified range for your class of IPs? For example ACL 110 should it be used for a significant purpose?

Thanks in advance

Re: ACL Access Control Lists

Rob Ingram — Mon, 03 Jan 2022 10:07:44 GMT

@jk865 the number is significant. An ACL numbered 1-99 is a standard ACL which can filter on source IP address/subnet only. Whereas an ACL numbered 100-199 is an extended ACL which can filter on protocol (icmp, udp or tcp), source/destination ip address/subnet and source/destination port.

You've also got 1300-1399 which is expanded Standard ACL range and 2000-2699 which is the expanded extended ACL range.

Re: ACL Access Control Lists

jk865 — Mon, 03 Jan 2022 10:17:38 GMT

Thanks, Rob, One last question if you don't mind should each ACL have only one rule per line/number?

Re: ACL Access Control Lists

Rob Ingram — Mon, 03 Jan 2022 10:21:48 GMT

@jk865 a numbered ACL can have multiple lines, example:

access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 23            
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 80

Note - there is an implicit deny at the end of an ACL.

Re: ACL Access Control Lists

jk865 — Mon, 03 Jan 2022 10:26:24 GMT

Thanks, Rob.

So if I want to apply the following I would need to apply it on multiple lines of 110 to stop the implicit deny kicking in? For example, if I had the first two permits on ACL 110 the implicit deny would deny everything else and stop it looking at for example ACL 120? Thanks James

permit ip 172.10.0.32 0.0.0.15 172.10.0.0 0.0.0.31

permit ip 172.10.0.48 0.0.0.7 172.10.0.0 0.0.0.31

deny ip host 172.10.0.51 172.10.0.0 0.0.0.31

permit ip 172.10.0.32 0.0.0.15 172.10.0.0 0.0.0.31

permit ip 172.10.0.48 0.0.0.7 172.10.0.0 0.0.0.31

Re: ACL Access Control Lists

Rob Ingram — Mon, 03 Jan 2022 10:51:05 GMT

@jk865

Assign all those ACE (Access Control Entries) to the same ACL number, if they are defined then the implict deny will apply after the defined ACE.

If you have 2 ACLs 110 and 120 then you have to explictly reference one of the ACLs, any other ACL defined on the router will not be used until explictly referenced.

Re: ACL Access Control Lists

jk865 — Mon, 03 Jan 2022 11:52:43 GMT

Hi Rob,

By explicitly reference do you mean on an interface for example?

What I'm trying to achieve is :

Network 172.10.0.32/28 and 172.10.0.0/27 should be able to communicate via the VPN without restrictions

Network 172.10.0.32/28 should be able to communicate with 172.10.0.51 without the VPN

Network 172.10.0.32/28 should be able to communicate with 209.165.100.97/27 only if the communication is issued by a user of the 172.10.0.32/28 network

209.165.100.97/27 Devices can only communicate with 172.10.0.51 via HTTPS Communication.

Re: ACL Access Control Lists

Rob Ingram — Mon, 03 Jan 2022 11:57:44 GMT

@jk865 Yes, by just defining an ACL it is not going to do anything until you reference it under the interface or whatever purpose you intend to use it for. You can only have 1 ACL configured/reference per interface per direction, so 1 inbound and 1 outbound ACL.

Re: ACL Access Control Lists

jk865 — Mon, 03 Jan 2022 11:57:46 GMT

Thanks so much.

Sorry for all the questions!

But would the best practice be to assign all of the above to one numbered ACL or multiple numbered ACL? I'm just trying to get my head around the use of multiple numbered ACLs

Thanks

Re: ACL Access Control Lists

Rob Ingram — Mon, 03 Jan 2022 12:01:36 GMT

@jk865 well you'll need 2 ACLs, 1 for each direction inbound from inside and another inbound from outside.

Best practice would not use ACL on a router, use a stateful firewall.