Configuring Extended TCP Access Lists

20 Mar

Configuring Extended TCP Access Lists
In the preceding section, you learned how to configure IP−specific access lists. The Cisco IOS also gives security administrators the ability to configure extended access lists using more specific protocol−dependent options for filtering packets; for example, you can configure TCP access lists. The steps for configuring extended TCP access lists are the same as the steps for configuring extended IP access lists with the exception of the additional parameters that TCP extended access lists permit:

1.Use the following command to define the extended TCP access list:

access−list <access−list−number> <deny | permit> tcp −
<source source−wildcard> <operator port> <destination −
destination−wildcard> <operator port> <established> −
<precedence precedence−value> <tos tos−value> <log>

2.Use this command to select the input interface under which the access list will be applied:

interface <interface name> <interface number>

3.Use the following command to apply the access list to the interface:

ip access−group <access−list−number> <in | out>

In the command in Step 1, the operator parameter specifies a condition of qualifications for packets that match the source and destination of the access list. The possible values for the operator include less than (lt), greater than (gt), equal (eq), not equal (nq), and an inclusive range (range). The port parameter specifies a number from 0 to 65535 or a name that represents a TCP port number. The established parameter is TCP−specific and indicates an established session if the TCP packet has the ACK or RST bit set. The established option should be used if you have implemented an inbound access list to prevent TCP sessions from being established into your network, but you must ensure that the access list will allow legitimate response packets back to your inside hosts from hosts with which the inside network users have attempted to establish a session.

The simple network that is shown in Figure 7.6 will be used in this example. Router C should be configured to deny all inbound connection requests to the network. However, it should also be configured to allow responses to connection requests that were initiated from the inside network to pass through the access list. Listing 7.13 shows the configuration of Router C to accomplish this.

Figure 7.6: TCP access list for Router C.
Listing 7.13: TCP established configuration of Router C.
hostname Router−C
interface FastEthernet0/0
ip address
no ip directed−broadcast
interface Serial/0
ip address
ip access−group 101 in
no ip directed−broadcast
ip route
access−list 101 permit tcp any −
established log
access−list 101 deny ip any any log

In Listing 7.13. Router C is configured to permit packets regardless of the source address if the packets’ destination is in the subnet and the ACK or RST bit is set within the packet. The next line of the configuration is not needed due to the implicit deny any, but it is included so that any packet that fails to meet the requirements of the first access list statement can be logged. Of note also is that the access list is bounded to the external Serial interface of Router C for packets that are incoming on that interface.

To test the configuration, you can establish a Telnet session from a host on the network to a host on the external network of Router C. On Router C, use the debug IP packet detail command to monitor packets that are coming into or leaving Router C. Here is the Telnet request from

Connecting to…open

Examining the debug output on Router C, you can see that the request is considered valid because the flag fields the access list is configured to look for are set. Listing 7.14 shows the output of the debug command on Router C.

Listing 7.14: Established TCP connection output.
Router−C#debug ip packet detail
ip packet debugging is on (detailed)
ip: s=, d=, len 44, sending
TCP src=11001, dst=23, seq=1697250670, ack=0, win=4128 SYN
IP: s=, d=, len 44, rcvd 4
TCP src=23, dst=11001, seq=1724867633, ack=1697250671, −
win=4128 ACK SYN
ip: s=, d=, len 40, sending
TCP src=11001, dst=23, seq=1697250671, ack=1724867634, −
win=4128 ACK
ip: s=, d=, len 52, sending
TCP src=11001, dst=23, seq=1697250671, ack=1724867634, −
win=4128 ACK PSH
ip: s=, d=, len 40, sending
TCP src=11001, dst=23, seq=1697250683, ack=1724867634, −
win=4128 ACK
IP: s=, d=, len 52, rcvd 4
TCP src=23, dst=11001, seq=1724867634, ack=1697250671, −
win=4128 ACK PSH
ip: s=, d=, len 43, sending
TCP src=11001, dst=23, seq=1697250683, ack=1724867646, −
win=4116 ACK PSH

Note Because of the format limitations of this book, some lines of the code in Listing 7.14 have been broken with a hyphen.

The highlighted lines display that the ACK or RST bit is set on the packets from to The initial TCP access list configuration defined the log parameter to the end of the access list. The following example shows the output from the log parameter, which generates an informational log message regarding any packet that matches the parameters of the extended TCP access list. Notice that the response packets from match all parameters of access list 101, and is therefore, permitted:

%SEC−6−IPACCESSLOGP: list 101 permitted tcp−> −, 1 packet
%SEC−6−IPACCESSLOGP: list 101 permitted tcp−> −, 24 packets

Note Because of the format limitations of this book, some lines of code listed above have been broken with a hyphen.

The show IP access−lists command is another troubleshooting command you can issue. It will display each access list configured on the router, and because the optional log parameter was specified in the configuration of the access list, the command will display the number of matches that the access list has encountered. Issuing the show IP access−lists command on Router C

displays the number of packets that have matched access list 101:

Router−C#show access−lists
Extended ip access list 101
permit tcp any established log(427 −
deny ip any any log(11924 matches)

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.