A Named ACL is created with the ip access-list command and then applied to the interface using the access-group command. Named ACL syntax and description are shown below
Ciscoasa(config)# ip access-list {standard|extended} access-list-name Ciscoasa(config-std-nacl)# [sequence-number] {deny|permit} source [source- wildcard]
Ciscoasa(config-ext-nacl)# [sequence-number] {deny|permit} protocol source source-wildcard destination destination-wildcard [log]
|
Syntax Description | |
standard
|
Specifies a standard IP access list. |
extended
|
Specifies an extended IP access list. |
access-list-name
|
Identifies an access list by the name. It also allows the creation and separation of multiple access lists.
|
sequence-number
|
Allows addition, removal, and resequencing of individual access-control entries within the ACL.
|
deny
|
Denies access if the conditions are matched. |
permit
|
Permits access if the conditions are matched. |
Protocol
|
Name or Number of an Internet Protocol such IP, TCP, UDP, EIGRP, OSPF, etc
|
source
|
Specifies the IP address/network to match on the source IP address of the Packet. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
|
source-wildcard
|
(Optional) Wildcard bits to be applied to the source
|
destination
|
Specifies the IP address/network to match on the destination IP address of the Packet. Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.
|
destination-wildcard
|
(Optional) Wildcard bits to be applied to the destination
|
log |
Causes an informational logging message about the packet that matches the entry to be sent to the console.
|
Log-input |
(Optional) Includes the input interface and source MAC address or VC in the logging output.
|
When we create a Named ACL using the ip access-list command the Cisco IOS will place the CLI in access-list configuration mode, where we can define the denied or permitted access conditions with the deny and permit commands. The optional sequence-number keyword lets us add, delete or resequence specific entries in the ACL.
As mentioned previously Named ACLs were introduced in Cisco IOS to add flexibility and easier management of ACLs. Named ACLs can either standard or extended and the functionality remains the same.
Configuration Examples
We will use Named ACLs for the configuration examples we covered in our previous articles on Standard and Extended ACLs to demonstrate the fact that Named ACLs are only configuration enhancement and the actual ACL operation remains the same.
For example, when we need to block an incoming telnet session from a host we can create a standard Named ACL and apply it to the vty lines as shown below
R1(config)# ip access-list standard TELNET
R1(config-std-nacl)# deny 10.1.1.2
R1(config-std-nacl)# permit any
R1(config)# line vty 0 4
R1(config)# access-class TELNET in
Similarly, we can use an Extended Named ACL to deny traffic from a particular host accessing a particular host using a specific protocol.
R1(config)# ip access-list extended DENY_HOST_FTP
R1(config ext-nacl)# deny tcp host 10.1.1.2 host 20.1.1.10 eq FTP
R1(config ext-nacl)# permit ip any any
R1(config)# interface ethernet0/0
R1(config)# access-group DENY_HOST_FTP in
This brings us to the end of this lesson in which we covered Named ACLs, it is very important that we both have the theoretical and practical knowledge of ACLs to master the topic.