Extended ACLs are advanced than the Standard ACLs. Unlike the Standard Access Lists where it checks only the Source IP Address to control the flow of the packets, Extended ACLs can check the
Source & Destination Address
Source & Destination ports
Extended ACLs have far greater control over the flow of packets and Extended ACL rules are processed by the sequence number as against Standard ACLs where it is processed in descending order of the Source Addresses.
Extended ACLs use ACL number 100 to 199 and since Cisco IOS version 12.0.1, 2000 – 2699 are used. These are called as expanded IP ACLs.
One other advantage of using Extended ACLs is that you can insert a statement in between existing ACL lists using a sequence number or delete an entry which you don't need using its list number.
The syntax of Extended ACLs is
access-list <ACL no.> <permit/deny> <protocol> <Source IP><Source mask><operator><Sourceport> <Destination IP><Destination mask> <operator> <destination port>
Protocol – Layer3 IP or IPX and Layer 4 TCP,UDP or ICMP
Operator – lt,eq,gt indicating port number "less than", Equal to or "greater"
A 0.0.0.0 255.255.255.255 for source/source mask or destination/dest.mask can be equated to "any"
TO configure an Extended ACL
Let's configure a simple ACL that allows any source to pass traffic to any destination. As you know there is an explicit "deny any any" statement at the end of the ACL, we need to add a "permit any any" to allow all traffic.
ciscorouter# conf term
ciscorouter(config)# access-list 101 permit any any
This is the same as
ciscorouter(config)# access-list 101 permit 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Another way to configure would be
ciscorouter(config)# ip access-list extended 101
ciscorouter(config-ext-nacl)# permit ip any any
Now, lets look at configuring based on Protocols.
IP Extended ACLs
IP Extended ACLs entry will not reference to the source and destination ports for the simple reason they are IP based lists.
ciscorouter(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
The above lets any traffic from source network 192.168.1.0/24 will be allowed to any destination network.
ciscorouter(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 option log
This list allows any traffic from source network 192.168.1.0/24 to the destination network 10.1.1.0/24 and logging.
TCP/UDP Extended ACLs
In TCP Extended ACLs, we can refernce to the source/destination IP addresses/networks and source and destination ports.
ciscorouter(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq www
The above lets any web traffic (HTTP in port 80) from the source network 192.168.1.0/24 to any destination network. This is equivivalent to
ciscorouter(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80
Another example to allow SMTP traffic from any network to a destination Mail server 10.1.1.1
ciscorouter(config-ext-nacl)# permit tcp any 10.1.1.1 eq 25
To allow DNS (UDP) queries
ciscorouter(config-ext-nacl)# permit udp any 10.1.1.2 eq 53
ICMP Extended ACLs
In ICMP Extended ACLs, its about the Source & Destination IP/Networks and the ICMP Type, ICMP Code and ICMP messages.
Block ICMP Replies [ICMP Type 0]
ciscorouter(config-ext-nacl)# deny icmp any any echo-reply
Block ICMP Replies [ICMP Type 11]
ciscorouter(config-ext-nacl)# deny icmp any any time-exceeded
Block ICMP Type 3 Code 4 [Destination unreacheable]
ciscorouter(config-ext-nacl)# deny icmp any any host-unreachable
To apply the ACL onto an interface,
ciscrouter(config)# int fa0/0
ciscorouter(config-if)# ip access-group 101 out
The above applies the Extended ACL 101 on the traffic exiting the interface. Remember the Per Protocol Per INterface Per Direction rule when applying rules to the interfaces.