Complex Access List

complex ACL can be based on standard and extended ACLs. complex ACLs provide more functionality. Kinds of complex ACLs are:
  • Dynamic ACL (lock-and-key): create dynamic entries on the run. each user whose traffic wants to be passed through a router, must be authenticated through a telnet connection to the corresponding router.
  • Reflexive ACL: inbound traffic is limited to only traffic in response to sessions that originate from inside the router.
  • Time-based ACL: enable you to control traffic based on the time of day and week.


Dynamic ACL
dynamic ACLs are sometimes called lock-and-key ACLs. Dynamic ACLs are dependant to telnet authentication (local or remote) and extended ACLs. Dynamice ACL starts from an extended ACL applied to block traffic through the router. until users who want their traffic to be passed through the router must telnet to the router and authenticate. then a single-entry dynamic ACL is added to the extended ACL. this entry will exist for a particular period of time (absolute timeouts and idle time are possible). Dynamic ACL is available for IP traffic only.

you can use dynamic ACLs when you want to grant access to a remote host/a group of remote hosts to a host within you network. Before the 'outside' hosts given the permission to access you 'inside' host, they must first authenticate theirselves at the firewall router. it can also be applied when some of your 'inside' hosts want to connect to a remote (outside) host.

the steps of configuring a dynamic ACL are:
  • step 1. create a user, this user can be created at local or on a remote server (RADIUS or TACACS+). username and password of this user will be used to connect to the router using telnet (vty).
  • step 2. create the dynamic ACL. remember that dynamic ACLs are extended ACLs.
  • step 3. apply the ACL at the correct interace.
  • step 4. configure telnet connection. with "login" command to specify where to search for userlist (local/remote) and "autocommand" to enable the dynamic ACL.

example scenario

         H1 ---------------- R1 --------------- R2 -------------- H2
192.168.10.10                                            192.168.20.20

we want to enable H1 to connect to H2 by creating a dynamic ACL. assume that R2 is connected to R1 from interface FastEthernet0/1, then we can apply the dynamic ACL at 'inbound' FastEthernet0/1 of R2 and ip address of FastEthernet0/1 is 192.168.15.1. and for simplicity we use local authentication. enter R2 CLI, the commands are:
  • step 1. create a local user
username joe password 0 cisco

  • step 2. create dynamic ACL
access-list 101 permit any host 192.168.15.1 eq telnet
access-list 101 dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
first entry allow telnet connections to the R2 from Fa0/1. second entry is the dynamic ACL, which allow traffic from network 192.168.10.0 to 192.168.20.0, and when an authentication is made, it will exist for 15 minutes and will be closed whether in used or not.
  • step 3. apply ACL.
interface FastEthernet0/1
ip access-group 101 in

  • step 4. configure telnet connection
line vty 0 4
login local
autocommand access-enable host timeout 5

the "autocommand" will be executed once a telnet connection is made and the telnet session is dropped. the user can connect to 192.168.20.0 network, if user idle for 5 minutes, the connection is closed.


Reflexive ACL
reflexive ACL used to allow IP traffic for sessions originating from your inside network while denying sessions from outside of your network.this limits inbound IP traffic to only traffic in response to session that originates from inside. even if reflexive ACLs seems to be the same as extended ACLs that use the "established" keyword, the differ in that "established" parameter only work for TCP traffic while a reflexive ACL works for any IP traffic (TCP, UDP, ICMP). "established" option also doesn't work with applications that dynamically alter the source port for the session.

reflexive ACL works by examining the outbound traffic pass a router. when the router sees a new outbound connection, it adds an entry to a temporary ACL that allow replies back in. Reflexive ACLs contain only temporary entries. when the session ends, the entries are removed.

reflexive ACL can only be defined with extended named IP ACLs. it can be used for any other protocols and extended numbered ACLs. reflexive ACLs are not applied directly to an interface but are "nested" within an extended named ACL.

steps to create a reflexive ACL are:
  • step 1. create an extended named ACL, which keeps track of traffic from inside.
  • step 2. create another extended named ACL, which will permit traffic from outside that are in response to sessions initiated from insdie.
  • step 3. apply both ACLs at the correct interface in opposite direction.

example scenario,

               Inside network
       SW1 --------------------- R1 -------------------- Internet
                192.168.10.0

a network administrator wants to allow inside hosts to only browse web, while traffic from internet may enter his network only if the traffic is a reply for a session requested from a host inside his network. assume that R1 is connected to the Internet through the serial0/0/0 interface. and he wants to apply the ACLs in that interface, the commands are:
  • step 1. create ACL, which keeps track traffic from inside
ip access-list extended HTTP_OUTBOUND
permit tcp 192.168.10.0 0.0.0.255 any reflect TCPTRAFFIC

  • step 2. create ACL, permit traffic from outside in response of sessions from inside
ip access-list HTTP_INBOUND
evaluate TCPTRAFFIC

  • step 3. apply both ACL
interface serial0/0/0
ip access-group HTTP_OUTBOUND out
ip access-group HTTP_INBOUND in


Time-Based ACL
time-based ACL has similar function with extended ACL, except that time-based ACL has the ability to do access control based on time (the time could be time of day and week). Time-based ACLs are implemented by first creating a time range that defines a specific times of day and week. This time range is idientified with a name and we refer to it by a fungction.

steps to implement a time-based ACL are:
  • step 1. Define the time range of when the ACL will operate.
  • step 2. Create the ACL and apply the time range to the corresponding entry.
  • step 3. Apply the ACL to the interface.

example scenario,
a network administrator allow telnet connection from internet to inside network (192.168.10.0) only on Sunday at 7:00 to 15:00. this ACL will be implemented at interface serial0/0/0 which is the interface of the firewall router that directly connected to outside network. the commands are
  • step 1. Define the time range
time-range EVERYSUNDAY
periodic Sunday 7:00 to 15:00

  • step 2. create the ACL
access-list 101 permit tcp any 192.168.10.0 0.0.0.255 eq telnet time-range EVERYSUNDAY

  • step 3. apply the ACL
interface serial0/0/0
ip access-group 101 in
top