ACLs by Country

Have you ever wanted to create an ACL by country?  There's a number of different ways you can go about it.  Certain models of firewalls have this functionality built in.  IOS based routers and ASA firewalls have no such capability, so we'll have to do this a bit more manually.  I'll present two methods.

The first method is detailed here.  In this post, wget goes out to the Internet and grabs the necessary data from the applicable RIR.  Some custom Perl code pulls out the subnets associated with that country and then builds the ACL.  This one is probably not for the faint of heart nor someone not very fluent in Unix command lines.

A simpler way is through a website called Country IP Blocks.  Navigate to The Create Country ACL page on their site and you can select one or more countries to build an ACL for.  Then pick which format you want the results in.  Cisco ACL is just one of 12 options here, and then click "Create ACL" and you're done.  Other sites such as ipdeny.com and countryacl.tools.uebi.net provide similar functionality.

These lists get pretty long. Want one that that will permit or deny United States based addresses?  That'll be 55,348 lines.  Want to create an ACL that will block Russia and China?  That's 27,386 lines.  Hope your router is maxed out on RAM.

Resequencing an ACL

Here's a quick post on a very useful command when working with ACLs.  I first heard about it while watching a CBT Nugget video, and I can say that it was definitely not covered in the NetAcad curriculum when I went through the classes, because I remember bringing it up to the instructor and it was news to him.

So let's begin by setting the scenerio.  You have the following ACL:

show ip access-list EXAMPLE

Extended IP access list EXAMPLE
    1 permit ip host 10.10.10.28 any
    2 permit ip host 10.10.10.10 any
    3 permit ip host 10.10.10.11 any
    4 permit ip host 10.10.10.45 any
    5 deny ip 10.10.10.0 0.0.0.255 any
    10 permit tcp any host 192.168.10.4 eq smtp

And let's say that we now need to allow one additional host out.  We could rewrite the ACL, but that could be a lot of work if its a long ACL.  Any other options?

Yes, the resequence command can help.  This command was introduced in IOS 12.2(14)S, and allows you to easily resequence an entire ACL.

ip access-list resequence EXAMPLE 10 10

This will renumber every line in the ACL starting with 10, and with an increment of 10 between each line.  This is the default sequencing for an access-list where no sequence numbers are entered.  The end result would be:

Extended IP access list EXAMPLE
    10 permit ip host 10.10.10.28 any
    20 permit ip host 10.10.10.10 any
    30 permit ip host 10.10.10.11 any
    40 permit ip host 10.10.10.45 any
    50 deny ip 10.10.10.0 0.0.0.255 any
    60 permit tcp any host 192.168.10.4 eq smtp

Old documenation will tell you that you can't edit a numbered ACL, but that's actually not true anymore.  

Reflexive ACLs on IOS Routers

In a nutshell, reflexive ACLs allow packets to be evaluated based on upper layer session information. You use reflexive ACLs in order to permit the return traffic from an established session, but deny all other traffic in that direction.  For example, you open up a browser and establish an HTTPS session with www.awesomewebsite.com.  Now obviously, you want the return traffic from the server hosting awesomewebsite.com to make it back to you so you can see this awesome website.  But you also do not want malicious traffic trying to reach your workstation to come in with it.  A standard or extended ACL does not allow this, it's all or nothing.  But a reflexive ACL allows you to do exactly that, allow the return traffic from your session with awesomewebsite.com, but deny all other incoming traffic.  I've heard reflexive ACLs described as "a poor man's stateful firewall."

Cisco documentation points out that you can also configure it in the other direction.  You can, for example, allow all incoming traffic to a server in your DMZ, but only allow return traffic from that server to go back out to the Internet. In this example, external users would be able to view the content on your DMZ server, but it would mitigate the risk of your server becoming part of a botnet and eat up your upload bandwidth participating in a DDoS attack.  While possible, I doubt it's used very often.  So in the configuration example, we'll focus on the more common scenario.

So lets configure a reflexive ACL.  We'll start out with a basic ACL in the outbound direction which will allow all outbound traffic.  As typical, I'll use upper case letters for words and names I've created so they stand out as such when viewing show statements. 

ip access-list extended OUTBOUND
  permit ip any any reflect REFLECTED

And that's it.  In this ACL, we are allowing all outbound traffic. The difference here between this ACL and no ACL at all is the keyword reflect.  This tells the router to remember all traffic matched by the permit ip any any, and create a dynamic ACL for the return traffic that will be allowed.  But we're not limited to this single permit in the OUTBOUND ACL, we can combine that with any combination of permit and deny statements as needed.  Note that reflexive ACLs can only be used as part of extended named ACLs.   But other than that, you're pretty much only limited by your imagination.

ip access-list extended OUTBOUND
  permit tcp host 10.10.10.10 any eq smtp REFLECTED
  deny tcp any any eq smtp
  permit ip any any reflect REFLECTED

Here, we're denying outbound smtp except from a single host (the company email server), and then allowing all other traffic to go out reflected. Next, we'll create a basic ACL for the inbound direction.

ip access-list extended INBOUND
  evaluate REFLECTED

Again, we're not limited to just a single evaultate statement in this ACL either, we can add in any other needed statements allowed by a named ACL.

ip acess-list extended INBOUND
  evaluate REFLECTED
  permit any host 10.10.10.10 eq smtp
  permit any host 10.10.10.10 eq http

Now we just need to apply those lists to the outward facing interface of the router.

interface Ethernet 1/0
  ip access-group INBOUND in
  ip access-group OUTBOUND out

If you have multiple outward facing interfaces, you can apply these same ACLs to multiple interfaces and the same REFLECTED dynamic list will be maintained between them, shielding you from the side effects of asymmetric routing.  Now if Cisco would only give us a way to share the state of reflexive ACL's between different routers (one pointed at ISP1 and one pointed at ISP2 for example), then we'd be all set.

interface Ethernet 1/0
  ip access-group INBOUND in
  ip access-group OUTBOUND out
!
interface Ethernet 1/1
  ip access-group INBOUND in
  ip access-group OUTBOUND out

Shortening ACLs

There are two main ways of shortening ACLs and improving their readability or performance. As you know, ACLs can grow to include hundreds of ACEs and cover many pages when printed.  So any way of minimizing the number of ACEs present may be welcomed.   A shorter ACL will consume less flash memory in the form of the startup configuration, less RAM in the form of the running configuration, and less CPU utilization when a packet is eligible to be analyzed by the ACL.

The first method of shortening an ACL is by using CIDR to combine multiple ACEs into a single statement. This method is useful when combining multiple ACEs specifying networks. For example, if you have two statements in an ACL which allow 10.0.0.0/8 and 11.0.0.0/8 as such:

     access-list 1 permit 10.0.0.0 0.255.255.255
     access-list 1 permit 11.0.0.0 0.255.255.255

These two statements can be combined into the single statement 10.0.0.0/7 as such:

     access-list 1 permit 10.0.0.0 1.255.255.255

Anyone who has worked with routers and routing protocols will recognize this method as summarization.  In a properly designed network, multiple networks can be combined, or summarized, into a smaller number of networks for use in ACLs and other purposes such as routing protocols/routing tables. You ultimately strive to be able to summarize down to one network wherever you can.

The second method of reducing the size of ACLs falls into the category of what I would call stupid router tricks. It is accomplished by utilizing binary math to combine two statements into one. This method is useful when combining ACEs that specify individual hosts.  To use this method, first convert the two host addresses into binary.   Second, do a bitwise AND of these two binary numbers. The result of this AND operation will be used and the address of the combined ACE. Next, do a bitwise XOR of the original two binary numbers. This output of this operation will be used as the wildcard mask of the new combined ACE. For example, if an ACL contained the following statements:

     access-list 10 deny host 10.20.30.40
     access-list 10 deny host 40.30.20.10

The result of this operation would yield

     access-list 10 deny 8.20.20.8 34.0.10.34

While this operation results in ACLs whose meaning is not clear, reducing the number of deny or permit statements in half definitely helps in a routers memory, flash, and CPU utilization. 

Would you be interested in a long ACL with dozens of cryptic statements such as the above?

Building an ACL

The different types of ACLs are first identified by the line number used. Standard IP ACLs use numbers in the range of 1 – 99 and 1300 – 1999. Extended ACLs use numbers in the range 100 - 199 and 2000 – 2699. Other types of ACLs which filter traffic utilizing other protocols such as Appletalk, DECNet, IPX, and XNS use other number ranges, however those are rarely used today. Named ACLs of course do not use numbers, but instead text names as identifiers. Other than ensuring that an ACL number falls into the correct range, the numbers have no meaning and can be used as you see fit.

There are two steps in defining an ACL. First, you enter the series of ACEs that define the ACL. Finally, you apply the ACL to an interface. For a standard ACL, the syntax is as follows:

access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 20 deny 10.0.0.0 0.255.255.255

This simple ACL allows all traffic from hosts with IP addresses in the 192.168.1.0/24 or 192.168.2.0/24 network. The “access-list 10” statement signifies that each of these statements belongs to the ACL designated as 10. An extended ACL looks as such:

access-list 100 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq www

This extended ACL permits tcp traffic originating from the 192.168.1.0/24 network with a destination in the 192.168.2.0/24 network utilizing port 80 (“eq www” means “equals www” or port 80). In addition to ‘eq’ for equals, we can also use “lt” for less than, “gt” for greater than, or “range” to specify a range of ports. To apply an ACL, simply enter the configuration of that interface and specify which ACL as such:

interface Serial0/1
access-group 10 out
line con 0
access-group 15 in

This applies ACL 10 to the Serial0/0 interface, and inspects traffic moving in the outbound direction through that interface. An important thing to note here is that ACLs use wild card masks rather than the more traditional subnet masks used elsewhere when configuring a router. An ACL can be applied to any interface, or to any line (console, aux, or vty).

There are a number of mnemonics used by Cisco IOS to specify ports. You can use the actual port number when configuring the router, however the mnemonic will still be shown in the running configuration and startup configuration. Some mnemonics that you will often see include:

• bootpc
• ftp
• isakmp
• lpd
• ntp
• rip
• ssh
• telnet
• www

or “any” to specify any protocol.

A router can have one ACL per interface, per direction and per protocol. What this means is that each interface may have one ACL in each direction for each protocol that the router supports. For example, in a router that supports IP, IPX and Appletalk, each interface may have an ACL for inbound IP, outbound IP, inbound IPX, outbound IPX, inbound Appletalk, and outbound Appletalk. For a router that supports those three protocols and has 3 interfaces, that router can have 18 active and applied ACLs. An administrator can have as many ACLs defined as memory permits, however only the previously specified 18 may be applied and active.