A Named ACL is created with the ip access-list command and then applied to the interface using the access-group command. Named ACL syntax and description are shown below

 

Ciscoasa(config)# ip access-list {standard|extended} access-list-name

 

 
Ciscoasa(config-std-nacl)#
[sequence-number] {deny|permit} source [source- wildcard]

 

 

Ciscoasa(config-ext-nacl)# [sequence-number] {deny|permit} protocol source source-wildcard destination

  destination-wildcard [log]

 

 

Syntax Description 

 

standard

 

 

Specifies a standard IP access list.

 

extended 

 

 

Specifies an extended IP access list.

 

access-list-name 

 

 

Identifies an access list by the name. Also allows the creation and separation of multiple access lists.

 

 

sequence-number

 

 

Allows addition, removal and resequencing of individual access-control entries within the ACL.

 

 

deny

 

 

Denies access if the conditions are matched.

 

permit

 

 

Permits access if the conditions are matched.

 

Protocol

 

 

Name or Number of an Internet Protocol such IP, TCP, UDP, EIGRP, OSPF etc

 

 

source

 

 

Specifies the IP address/network to match on the source IP address of the Packet. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

 

 

source-wildcard

 

 

(Optional) Wildcard bits to be applied to the source

 

 

destination

 

 

Specifies the IP address/network to match on the destination IP address of the Packet. Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

 

 

destination-wildcard

 

 

(Optional) Wildcard bits to be applied to the destination

 

 

log

 

Causes an informational logging message about the packet that matches the entry to be sent to the console.

 

 

Log-input

 

(Optional) Includes the input interface and source MAC address or VC in the logging output.

 

When we create a Named ACL using the ip access-list command the Cisco IOS will place the the CLI in access-list configuration mode, where we can define the denied or permitted access conditions with the deny and permit commands. The optional sequence-number keyword lets us add, delete or resequence specific entries in the ACL.

As mentioned previously Named ACLs were introduced in Cisco IOS to add flexibility and easier management of ACLs. Named ACLs can either standard or extended and the functionality remains the same.

Configuration Examples

We will use Named ACLs for the configuration examples we covered in our previous articles on Standard and Extended ACLs to demonstrate the fact that Named ACLs are only configuration enhancement and the actual ACL operation remains the same.

For example when we need to block an incoming telnet session from a host we can create a standard Named ACL and apply it to the vty lines as shown below

R1(config)# ip access-list standard TELNET

R1(config-std-nacl)# deny 10.1.1.2

R1(config-std-nacl)# permit any

R1(config)# line vty 0 4

R1(config)# access-class TELNET in

 

Similarly we can use an Extended Named ACL to deny traffic from a particular host accessing a particular host using a specific protocol.

R1(config)# ip access-list extended DENY_HOST_FTP

R1(config ext-nacl)# deny tcp host 10.1.1.2 host 20.1.1.10 eq FTP

R1(config ext-nacl)# permit ip any any

R1(config)# interface ethernet0/0

R1(config)# access-group DENY_HOST_FTP in

 

This brings us to the end of this lesson in which we covered Named ACLs, it is very important that we both have the theoretical and practical knowledge of ACLs to master the topic.