Cisco IOS Software Releases 12.3 T

Table Of Contents

ACL Support for Filtering IP Options

Contents

Restrictions for the ACL Support for Filtering IP Options Feature

Information About ACL Support for Filtering IP Options

IP Options

Benefits of Using the ACL Support for Filtering IP Options Feature

How to Configure the ACL Support for Filtering IP Options Feature

Configuring Access Lists to Filter Packets That Contain IP Options

ACL Support for Filtering IP Options: Example

Configuring the Access List to Filter Packets That Contain IP Options: Example

Where to Go Next

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

deny (IP)

permit (IP)

ACL Support for Filtering IP Options

---

The ACL Support for Filtering IP Options feature allows you to use access control lists (ACLs) to filter IP Options packets, in order to prevent routers from becoming saturated with spurious packets containing IP Options. The ACLs provide granular control, and can be used in a complementary fashion with the no ip options command-line interface (CLI) command that is documented in the IP Options Selective Drop feature in Cisco IOS Release 12.3(4)T.

Release	Modification
12.3(4)T	This feature was introduced.
12.2(25)S	This feature was integrated into Cisco IOS Release 12.2(25)S.

Feature History for ACL Support for the Filtering IP Options Feature

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Restrictions for the ACL Support for Filtering IP Options Feature

•Information About ACL Support for Filtering IP Options

•How to Configure the ACL Support for Filtering IP Options Feature

•ACL Support for Filtering IP Options: Example

•Where to Go Next

•Additional References

•Command Reference

Restrictions for the ACL Support for Filtering IP Options Feature

Resource Reservation Protocol (RSVP) Multiprotocol Label Switching terminal equipment (MPLS TE), Internet Group Management Protocol Version 2 (IGMPV2), and other protocols that use IP Options packets may not function in drop or ignore mode if this feature is configured.

On most Cisco routers, a packet with IP Options is not switched in hardware, but requires control plane software processing (primarily because there is a need to process the options and rewrite the IP header), so all IP packets with IP Options will be filtered and switched in software. Also, it must be noted that Turbo ACLs do not support ACLs with entries that filter using the option keyword and such ACLs will not get Turbo compiled. This option keyword restriction will not affect any other ACLs on the router. In general, not using Turbo ACLs in such cases is not considered a performance issue because the Cisco IOS software allows for faster ACL processing starting from Cisco IOS Release 12.3(2)T.

The ACL Support for Filtering IP Options feature can be used only with named, extended ACLs.

---

Note To effectively eliminate all packets that contain IP Options, we recommend that the global ip options drop command be used.

---

Information About ACL Support for Filtering IP Options

Before you configure the ACL Support for Filtering IP Options feature, you should understand the following concepts:

•IP Options

•Benefits of Using the ACL Support for Filtering IP Options Feature

IP Options

The internet protocol uses four key mechanisms in providing its service: Type of Service, Time to Live, Options, and Header Checksum.

The Options, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for the most common communications. IP Options include provisions for time stamps, security, and special routing.

IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation. In some environments the security option may be required in all datagrams.

The option field is variable in length. There may be zero or more options. IP Options can have one of two formats:

•Format 1: A single octet of option-type.

•Format 2: An option-type octet, an option-length octet, and the actual option-data octets.

The option-length octet counts the option-type octet and the option-length octet and the option-data octets.

The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred to by their 8-bit value.

For a complete list and description of IP Options, refer to the RFC 791 at the following URL:

http://www.faqs.org/rfcs/rfc791.html.

Benefits of Using the ACL Support for Filtering IP Options Feature

•Filtering of packets that contain IP Options from the network and relieving of downstream routers and hosts of the load from options packets.

•Load minimization to the Route Processor (RP) for packets with IP Options that require RP processing on distributed systems. Previously, the packets were always routed to or processed by the RP CPU. Filtering the packets prevents them from impacting the RP.

How to Configure the ACL Support for Filtering IP Options Feature

This section contains the following procedures:

•Configuring Access Lists to Filter Packets That Contain IP Options

Configuring Access Lists to Filter Packets That Contain IP Options

The following task configures access lists to filter packets that contain IP Options and verifies that the access lists have been configured correctly.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip access-list {standard | extended} access-list-name

4. [sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

5. [sequence-number] deny protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

6. Repeat Step 4 or Step 5 as necessary, adding statements by option value where you planned. Use the no sequence-number form of this command to delete an entry.

7. end

8. show ip access-lists access-list-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip access-list {standard | extended} access-list-name Example: Router(config)# ip access-list extended mylist1	Specifies the IP access list by name and enters named access list configuration mode. Note The ACL Support for Filtering IP Options feature works only with named, extended ACLs.
Step 4	[sequence-number] deny protocol source source-wildcard destination destination-wildcard [option option-value][precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Example: Router(config-ext-nacl)# deny ip any any option traceroute	Specifies a deny statement in named IP access list mode. •This access list happens to use a deny statement first, but a permit statement could appear first, depending on the order of statements you need. •Use the option keyword option-value argument to filter packets that contain a particular IP Option. In this instance any packet that contains the traceroute IP Option will be filtered out. •Use the no sequence-number form of this command to delete an entry.
Step 5	[sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Example: Router(config-ext-nacl)# permit ip any any option security	(Optional) Specifies a permit statement in named IP access list mode. •This access list happens to use a permit statement first, but a deny statement could appear first, depending on the order of statements you need. •Use the option keyword option-value argument to filter packets that contain a particular IP Option. In this instance any packet that contains the security IP Option will be permitted. •Use the no sequence-number form of this command to delete an entry.
Step 6	Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned. Use the no sequence-number form of this command to delete an entry.	Allows you to revise the access list.
Step 7	end Example: Router(config-std-nacl)# end	(Optional) Exits the configuration mode and returns to privileged EXEC mode.
Step 8	show ip access-lists access-list-name Example: Router# show ip access-lists mylist1	(Optional) Displays the contents of the IP access list. •Review the output to verify that the access list includes the new entry.

ACL Support for Filtering IP Options: Example

This section contains the following configuration example:

•Configuring the Access List to Filter Packets That Contain IP Options: Example

Configuring the Access List to Filter Packets That Contain IP Options: Example

The following example shows an extended access list named mylist2 that contains access list entries (ACEs) that are configured to permit TCP packets only if they contain the IP Options that are specified in the ACEs:

Router> enable

Router# configure terminal

Router(config)# ip access-list extended mylist2

Router(config-ext-nacl)# 10 permit ip any any option eool

Router(config-ext-nacl)# 20 permit ip any any option record-route

Router(config-ext-nacl)# 30 permit ip any any option zsu

Router(config-ext-nacl)# 40 permit ip any any option mtup

The show access-list command has been entered to show how many packets were matched and therefore permitted:

Router# show ip access-list mylist2

Extended IP access list test

10 permit ip any any option eool (1 match)

20 permit ip any any option record-route (1 match)

30 permit ip any any option zsu (1 match)

40 permit ip any any option mtup (1 match)

Where to Go Next

You may also want to the enter the no ip options command that is documented in the IP Options Selective Drop feature in Cisco IOS Release 12.3(4)T.

Additional References

The following sections provide references related to the ACL Support for Filtering IP Options feature.

Related Documents

Related Topic	Document Title
Configuring IP access lists	"Configuring IP Services" chapter in the Cisco IOS IP Configuration Guide
IP access list commands	"IP Addressing and Services Commands" chapter in the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3 T
Configuring the router to drop or ignore packets containing IP Options	IP Options Selective Drop feature module for Cisco IOS Release 12.3(4)T

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
RFC 791	Internet Protocol

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents the following modified commands only.

•deny (IP)

•permit (IP)

deny (IP)

To set conditions in a named IP access list that will deny packets, use the deny command in access list configuration mode. To remove a deny condition from an access list, use the no form of this command.

[sequence-number] deny source [source-wildcard]

[sequence-number] deny protocol source source-wildcard destination destination-wildcard [option option-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

no sequence-number

no deny source [source-wildcard]

no deny protocol source source-wildcard destination destination-wildcard

Internet Control Message Protocol (ICMP)

[sequence-number] deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Internet Group Management Protocol (IGMP)

[sequence-number] deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Transmission Control Protocol (TCP)

[sequence-number] deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established | {match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

User Datagram Protocol (UDP)

[sequence-number] deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Syntax Description

sequence-number	(Optional) Sequence number assigned to the deny statement, causing the system to insert the statement in that numbered position in the access list.
source	Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: •Use a 32-bit quantity in four-part dotted-decimal format. •Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. •Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard	Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard: •Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions you want to ignore. •Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. •Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
protocol	Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.
destination	Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: •Use a 32-bit quantity in four-part dotted-decimal format. •Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. •Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard	Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: •Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions you want to ignore. •Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. •Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
option option-name	(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255, or by the corresponding IP Option name, as listed in the section "Usage Guidelines."
precedence precedence	(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name.
tos tos	(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not Cisco Express Forwarding (CEF) switched. They are fast switched. Logging disables CEF.
time-range time-range-name	(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
fragments	(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
icmp-type	(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code	(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
igmp-type	(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
operator	(Optional) Compares source or destination ports. Operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port	(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command. TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.
established	(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bit set. The nonmatching case is that of the initial TCP datagram to form a connection. Note The established keyword can be used only with the old command-line interface (CLI) format. To use the new CLI format you must use the match-any and match-all keywords followed by the + or - keywords and flag-name argument.
match-any match-all	(Optional) For the TCP protocol only: A match occurs if the TCP datagram has certain TCP flags set or not set. You use the match-any keyword to allow a match to occur if any of the specified TCP flags are present or you can use the match-all keyword to allow a match to occur only if all of the specified TCP flags are present. You must follow the match-any and match-all keywords with the + or - keyword and the flag-name argument to match on one or more TCP flags.
+ - flag-name	(Optional) For the TCP protocol only: The + keyword allows IP packets if their TCP headers contains the TCP flags that are specified by the flag-name argument. The - keyword filters out IP packets that do not contain the TCP flags specified by the flag-name argument. You must follow the + and - keywords with the flag-name argument. TCP flag names can be used only when filtering TCP. Flag names for the TCP flags are as follows: urg, ack, psh, rst, syn, and fin.

Defaults

There are no specific conditions under which a packet is denied passing the named access list.

Command Modes

Access list configuration

Command History

Release	Modification
11.2	This command was introduced.
12.0(1)T	The time-range time-range-name keyword and argument were added.
12.0(11) 12.1(2)	The fragments keyword was added.
12.2(13)T	The igrp keyword was removed because the IGRP protocol is no longer available in Cisco IOS software.
12.2(14)S	The sequence-number argument was added.
12.2(15)T	The sequence-number argument was integrated into Release 12.2(15)T and the igrp keyword was removed.
12.3(4)T	The option option-name keyword and argument were added. The match-any, match-all, + and - keywords and flag-name argument was added.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Usage Guidelines

Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list.

The time-range keyword allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this deny statement is in effect.

Access List Filtering of IP Options

Access control lists can be used to filter packets with IP Options, to prevent routers from being saturated with spurious packets containing IP Options. To see a complete table of all IP Options, including ones currently not in use, refer to the latest Internet Assigned Numbers Authority (IANA) information that is available from its URL: www.iana.org.

Cisco IOS software allows you to filter packets on whether they contain one or more of the legitimate IP Options by entering either the IP Option value or the corresponding name for the ip-value argument as shown in Table 1:

Table 1 IP Option Values and Names

.

IP Option Value or Name	Description
0 to 255	IP Options values
add-ext	Match packets with Address Extension Option (147)
any-options	Match packets with any IP Option
com-security	Match packets with Commercial Security Option (134)
dps	Match packets with Dynamic Packet State Option (151)
encode	Match packets with Encode Option (15)
eool	Match packets with End of Options (0)
ext-ip	Match packets with Extended IP Options (145)
ext-security	Match packets with Extended Security Option (133)
finn	Match packets with Experimental Flow control Option (205)
imitd	Match packets with IMI Traffic Descriptor Option (144)
lsr	Match packets with Loose Source Route Option (131)
mtup	Match packets with MTU Probe Option (11)
mtur	Match packets with MTU Reply Option (12)
no-op	Match packets with the No Operation Option (1)
nsapa	Match packets with the NSAP Addresses option (150)
record-route	Match packets with Router Alert Option (7)
router-alert	Match packets with Router Alert Option (148)
sdb	Match packets with Selective Directed Broadcast Option (149)
security	Match packets with Base Security Option (130)
ssr	Match packets with Strict Source Routing Option (137)
Stream-id	Match packets with Stream ID Option (136)
timestamp	Match packets with Time Stamp Option (68)
traceroute	Match packets with Trace Route Option (82)
ump	Match packets with Upstream Multicast Packet Option (152)
visa	Match packets with Experimental Access Control Option (142)
zsu	Match packets with Experimental Measurement Option (10)

Filtering IP Packets Based on TCP Flags

The ACEs that comprise an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have very specific group of TCP flags set or not set. Users can select any desired combination of TCP flags on which to filter TCP packets. Users can configure ACEs in order to allow matching on a flag set and on a flag not set. Use the + and - keywords with a flag name to specify that a match is made based on whether a TCP header flag has been set. Use the match-any and match-all keywords to allow the packet if any or all, respectively, of the flags specified by the + or - keyword and flag-name argument have been set or not set.

Access List Processing of Fragments

The behavior of access list entries regarding the use or lack of the fragments keyword can be summarized as follows:

If the Access-List Entry Has...	Then...
...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,	For an access list entry containing only Layer 3 information: •The entry is applied to nonfragmented packets, initial fragments, and noninitial fragments. For an access list entry containing Layer 3 and Layer 4 information: •The entry is applied to nonfragmented packets and initial fragments. –If the entry is a permit statement, the packet or fragment is permitted. –If the entry is a deny statement, the packet or fragment is denied. •The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access list entry can be applied. If the Layer 3 portion of the access list entry matches, and –If the entry is a permit statement, the noninitial fragment is permitted. –If the entry is a deny statement, the next access list entry is processed. Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.
...the fragments keyword, and assuming all of the access list entry information matches,	Note The access list entry is applied only to noninitial fragments. The fragments keyword cannot be configured for an access list entry that contains any Layer 4 information.

Be aware that you should not add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword. The packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.

---

Note The fragments keyword cannot solve all cases involving access lists and IP fragments.

---

Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

Examples

The following example sets a deny condition for a standard access list named Internetfilter:

ip access-list standard Internetfilter

 deny 192.5.34.0  0.0.0.255

 permit 172.16.0.0  0.0.255.255

 permit 10.0.0.0  0.255.255.255

! (Note: all other access implicitly denied)

The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.:

time-range no-http

 periodic weekdays 8:00 to 18:00

!

ip access-list extended strict

 deny tcp any any eq http time-range no-http

!

interface ethernet 0

 ip access-group strict in

The following example adds an entry with the sequence number 25 to extended IP access list 150:

Router(config)# ip access-list extended 150

Router(config-std-nacl)# 25 deny ip host 172.16.3.3 host 192.168.5.34

The following example removes the entry with the sequence number 25 from the standard access list example shown above:

Router(config-std-nacl)# no 25

The following example sets a deny condition for a standard access list named filter2. The ACE specifies that a packet cannot pass the named access list if it contains the Strict Source Routing IP Option, which is represented by the IP Option value ssr.

Router(config)# ip access-list extended filter2

Router(config-ext-nacl)# deny ip any any option ssr

The following example sets a deny condition for an extended access list named kmdfilter1. The ACE specifies that a packet cannot pass the named access list if the RST and FIN TCP flags have been set for that packet:

Router(config)# ip access-list extended kmdfilter1

Router(config-std-nacl)# deny tcp any any match-any +rst +fin

Related Commands

Command	Description
absolute	Specifies an absolute time when a time range is in effect.
access-list (IP extended)	Defines an extended IP access list.
access-list (IP extended)	Defines a standard IP access list.
ip access-group	Controls access to an interface.
ip access-list	Defines an IP access list by name.
ip access-list log-update	Sets the threshold number of packets that cause a logging message.
ip access-list resequence	Applies sequence numbers to the access list entries in an access list.
ip options	Drops or ignores IP Options packets that are sent to the router.
match ip address	Distributes any routes that have a destination network number address that is permitted by a standard or extended access list, or performs policy routing on packets.
periodic	Specifies a recurring (weekly) time range for functions that support the time-range feature.
permit (IP)	Sets conditions under which a packet passes a named IP access list.
remark	Writes a helpful comment (remark) for an entry in a named IP access list.
show ip access-list	Displays the contents of all current IP access lists.
time-range	Specifies when an access list or other feature is in effect.

permit (IP)

To set conditions to allow a packet to pass a named IP access list, use the permit command in access list configuration mode. To remove a permit condition from an access list, use the no form of this command.

[sequence-number] permit source [source-wildcard]

[sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

no sequence-number

no permit source [source-wildcard]

no permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Internet Control Message Protocol (ICMP)

[sequence-number] permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Internet Group Management Protocol (IGMP)

[sequence-number] permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Transmission Control Protocol (TCP)

[sequence-number] permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established | {match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

User Datagram Protocol UDP)

[sequence-number] permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Syntax Description

sequence-number	(Optional) Sequence number assigned to the permit statement, causing the system to insert the statement in that numbered position in the access list.
source	Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: •Use a 32-bit quantity in four-part dotted-decimal format. •Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. •Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard	(Optional) Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: •Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions you want to ignore. •Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. •Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
protocol	Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.
destination	Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: •Use a 32-bit quantity in four-part dotted-decimal format. •Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. •Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard	Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: •Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions you want to ignore. •Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. •Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
option option-value	(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255, or by the corresponding IP Option name, as listed in the section "Usage Guidelines."
precedence precedence	(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name.
tos tos	(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information. The logging facility may drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable Cisco Express Forwarding (CEF) and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
time-range time-range-name	(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
fragments	(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
icmp-type	(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code	(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
igmp-type	(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
operator	(Optional) Compares source or destination ports. Operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port	(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names