index_73
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
73
ip access-list {standard | extended} name
where standard specifies a standard IP access list.
extended specifies an extended IP access list.
name is the name of the access list. The name cannot contain spaces
or punctuation and must begin with an alphabetic character.
General Recommendations
Refer to the two tables in Section 3.2.2 that present common services to restrict
because they can be used to gather information about an internal network or they
have weaknesses that can be exploited. The first table lists those services that should
be completely blocked at the router; they should not be allowed across the router in
either direction or to the router. The second table lists those services on the internal
network or on the router that should not be accessible by external clients.
In each access list there must be at least one permit statement. Otherwise, an access
list with no permit statements will block all network traffic wherever it is applied.
Note that an access list is applied to packets traveling in one direction only. For any
connection that requires two-way interaction (e.g., all TCP traffic, some UDP traffic)
the access list will only affect approximately half the packets. It is possible however
to apply two access lists (one for each direction) for router interfaces, vty lines and
routing protocols. The diagram below shows how access lists work when applied to
router interfaces, using the router East as an example.
Figure 4-2: Conceptual Model for Access Lists on Interfaces
East
14.1.0.0/16
14.2.6.0/24
E t h 1
14.2.6.250
Eth0
14.1.1.20
Interface Eth0
Interface Eth1
Trash
Trash
Inbound
Access
List
Inbound
Access
List
Outbound
Access
List
Outbound
Access
List
Routing
permit
permit
permit
permit
deny
deny
14.1.0.0
network
14.2.6.0
network