Access Control Lists (ACLs)
67
CCNA2 Routing Perrine modified by Brierley Page 1 03/15/22 Module 11 Access Control 172.16.3.0 172.16.4.0 Non-172.16.0.0 e0 e1 s0 172.16.4.13 server
-
Upload
senan-alkaaby -
Category
Documents
-
view
16 -
download
2
description
acl
Transcript of Access Control Lists (ACLs)
No Slide TitleHigh Level View
access-list 1 permit any
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq www
access-list 101 permit ip any any
High Level View
ACLs are instructions that are applied to a router interfaces.
The ACLs describe the kind of packets that are to be permitted or denied.
Permitted or Denial testing can be based on:
source address
destination address
port number
ACLs are configured on the router Interfaces to control access to a network.
ACLs must be defined separately for each protocol; Unique for IP, Unique for IPX; Unique for AppleTalk, etc.
Some times ACLs are called packet filters.
CCNA2 Routing
Placing ACLs
CCNA2 Routing
Module 11
A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders.
Firewalls
provide traffic flow - limit traffic through the network
provide for security
ACL - Access Control Lists
DETAIL
destination address
source address
port number
Each ACL statement is checked in a sequential order (first to last) and when there is a match, no more statements are checked.
If the results are no matches, then the packet (by default) is discarded.
Adding addition ACL statements to the end of an existing list is just a matter of adding the new statement. BUT, if
deleting an existing ACL statement causes the entire access list to be deleted.
ACL - Access Control Lists
access-list 1 permit any
“IN” (inbound) checking is required. The packet:
Is checked against the ACL list (if one exists)
Here It can be interrogated to permit or deny.
If denied the packet is dropped else,
It is matched against the routing table and passed to an “OUT” (outbound interface)
ACL - Access Control Lists
1) Here It can be interrogated to permit or deny.
2) If denied the packet is dropped
3) If permitted then packet is allowed “OUT” (outbound).
The Outbound interface’s ACL is a different list from the inbound)
CCNA2 Routing
Module 11
ACL statements operate in a logical, sequential order. When a match is made the rest of the statements are not checked.
If none the ACL statements match, then there is an implicit deny any rule.
access-list 10 { permit | deny } { test conditions }
access-list 1 deny 192.169.1.0 0.0.255.255
access-list 1 deny 192.168.1.9 0.0.0.0
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any
access-list 10 deny any
ACL - Access Control Lists
standard - has access list value of 1- 99
extended - has access list value of 100 - 199
Must be configured in global configuration mode. Router (config) #
Steps in creating ACLs:
ACLs are used to filter:
inbound traffic, or
Where to place ACLs
Standard ACLs are place as close as possible to the destination.
Extended ACLs are place as close as possible to the source.
CCNA2 Routing
Router(config)# access-list 1 permit { test conditions }
Router(config)# access-list 50 deny { test conditions }
To delete all ACL statements of an access-list
Router(config)# no access-list <ACL number>
Applying the Access List:
Router(config-if)# ip access-group 1
Router(config-if)# ip access-group 50
To delete an ACL group statement (this will not delete the associated list):
Router(config)# no access-group <ACL number>
Where to place ACLs
Module 11
A wildcard is matched with an IP address or protocol address.
It is a 32 bit mask divided into 4 octet, each containing 8 bits.
A 0 in the wildcard means to check the bit in the IP you are testing.
A 1 in the wildcard means ignore the bit in the IP you are testing.
NOTE!!!
Do NOT think subnet mask – that is a totally different meaning not related to the WILDCARD
Wildcard
0.0.0.0 255.255.255.255
Address Wildcard
Router(config)# access-list 1 permit any
Router(config)# access-list 1 deny 0.0.0.0 255.255.255.255
Router(config)# access-list 1 deny any
CCNA2 Routing
To match all the bits of IP address use host:
EX: 172. 30.16. 29 0. 0. 0. 0
Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0
Router(config)# access-list 1 permit host 172.30.16.29
Abbreviations
deny entire protocol suits
Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard] [log]
CCNA2 Routing
Access-list 33 permit 172.16.0.0 0.0.255.255 log
Permits all traffic from 172.16.0.0 and sends messages to the console every time the access list is executed.
Standard ACLs
CCNA2 Routing
Access-list 44 deny 172.16.13.7 0.0.0.0 log
Denies traffic from host 172.16.13.7 and sends message to the console every time the access list is hit.
Standard ACLs
CCNA2 Routing
Denies all traffic from network 172.16.64.0
Standard ACLs
CCNA2 Routing
The log command:
Prints messages to the console which includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets.
The message is generated for the first packet that matches, and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval.
Log is used for debugging only not to be left active on live networks.
Standard ACLs
CCNA2 Routing
Standard ACLs
CCNA2 Routing
show access-list
Displays all access lists & their parameters configured on the router. (Does not show you which interface the list is set on.)
show access-list <ACL number>
Shows only the parameters for the access list <ACL number>. (Does not show you the interface the list is set on.)
show ip access-list
Shows only the IP access lists configured on the router
show ip interface
Shows which interfaces have access lists set (containing an access-group).
show running-config
Standard ACLs
CCNA2 Routing
R(config)# Interface e1
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255
What does it do?
R(config)# Interface e1
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Allows only traffic from source network 172.16.0.0 to be forwarded & and non-172.16.0.0 traffic is blocked.
Standard ACLs
172.16.3.0
172.16.4.0
Non-172.16.0.0
e0
e1
s0
172.16.4.13
server
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0
R(config)# access-list 1 permit any
What does this do?
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0
R(config)# access-list 1 permit any
Denies traffic from a specific device, 172.16.4.13 & allows all other traffic thru e0 to network 172.16.3.0.
Standard ACLs
access-list 1 permit any
What does this do?
access-list 1 permit any
Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru e0 to network 172.16.3.0.
Standard ACLs
check for specific protocol
permit or denied applications – pings, telnets, FTP, etc.
ACL values range between 100 – 199 (for IP)
Extended ACLs
CCNA2 Routing
20 FTP data [TCP]
23 Telnet [TCP]
53 DNS [TCP, UDP]
destination destination-mask operator operand {established}
ACL number
100 – 199
permit | deny
protocol
source -- Source address source-wildcard mask
destination -- Destination address destination-wildcard mask
Extended ACLs
destination destination-mask operator operand {established}
operator
established
Allows TCP traffic to pass if the packet uses an established connection ( for example, has ACK bits set ).
access-list 101 permit tcp 172.16.4.0 0.0.0.255 any eq 25
Extended ACLs
CCNA2 Routing
Router(config)# int E0
Extended ACLs
CCNA2 Routing
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit ip any any
What does this do?
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit ip any any
Blocks FTP traffic from all hosts on 172.16.4.0 to any device on 172.16.3.0 & allows all other traffic.
Extended ACLs
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any
What does this do?
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any
Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network, and permits all other traffic thru e0 to any address.
Extended ACLs
NOTE:
CCNA2 Routing
Module 11
Standard/Extended ACL
You can not add ACL statements into the body of the access-list (ONLY at the end of the list).
Otherwise the access list must be deleted first, and then rewritten.
Therefore it is prudent to write your access-list in text format using “notepad”, and then transfer it to your router.
CCNA2 Routing
NOTE:
A NAMED ACL is an alphanumeric string instead of the ACL number (1 - 199 )
NAMED ACLs are not compatible with Cisco IOS release prior to Release 11.2
Named ACLs can be used for either standard & extended
You cannot configure the same name for multiple ACLs.
use Name ACL when you want to intuitively identify ACLs
use Name ACL when you have more than 99 standard & 100 extended ACLs have been configured on a router for a given protocol
CCNA2 Routing
ip access-list standard internetfilter
CCNA2 Routing
Module 11
Named ACL
A named ACL will allow the deletion of statements, but will only allow for the statements to be inserted a the end of the list.
CCNA2 Routing
10101100.00010000.00000000.00000000
Incoming packet with address of 172.18.4.2. Will it be permitted?
Source : 10101100.00010010.00000100.00000010
10101100.00010000.00000000.00000000
Incoming packet with address of 172.18.4.2. Will it be permitted?
Source : 10101100.00010010.00000100.00000010
No! Hence the incoming packet will not be permitted.
CCNA2 Routing
10101100.00010000.00000000.00000000
Incoming packet with address of 172.16.4.2. Will it be permitted?
Source : 10101100.00010000.00000100.00000010
Yes! Hence the incoming packet will be permitted.
CCNA2 Routing
10101100.00010000.00000000.00000000
Incoming packet with address of 172.16.4.1. Will it be permitted?
Source : 10101100.00010000.00000100.00000001
10101100.00010000.xxxxxxxx. xxxxxxx1 Result
Incoming packet with address of 172.16.4.4. Will it be permitted?
Source : 10101100.00010000.00000100.00000100
10101100.00010000. xxxxxxxx. xxxxxxx0 Result
10101100.00010000.00000000.00000000
Incoming packet with address of 172.16.4.5. Will it be permitted?
Source : 10101100.00010000.00000100.00000101
10101100.00010000.xxxxxxxx. xxxxxxx1 Result
So the access list perform what operation? Permits 172.16.4.4, and denies 172.16.4.1 and 172.16.4.5
Permits all even addresses from the network 172.16.0.0
CCNA2 Routing
Permit/Deny BLOCKS of addresses
One can permit or deny a block of addresses. However, the blocks must be a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.)
When you need to specify a range of addresses, you choose the closet block size for your needs.
You want to block access to part of network that is in the range from 198.16.99.0 through 198.16.99.7. This is a block size of 8. Hence:
198.16.99.0 0.0.0.7
Also in this case for a block of 8, the beginning address must either start at 0, 8, 16, etc.
CCNA2 Routing
Module 11
One has a subnet whose addresses range from 200.17.2.128 to 200.17.2.191. One wants to divide this network so the top half are permitted and the bottom half is denied to any other network. What is the access lists?
The block range is:
Permit/Deny BLOCKS of addresses
Denies a block of 64 address starting at 200.16.88.64
Permit/Deny BLOCKS of addresses
Virtual Terminal ACL
You can control access via the VTY ports controlling telnet sessions coming into the router.
You write the ACL as usual, but use access-class to apply it.
As an example:
Router(config t)# line vty 0 4
Router(config-line)# login
Router(config-line)# access-class 1 in
Note: only numbered access lists can be applied to VTY virtual lines!
CCNA2 Routing
Module 11
Established option
The ‘establish’ option in an access-list used only with TCP datagrams. There are cases when you want to stop host B from initiating a connection with a host A while permitting A to initiate connections with B.
establish
response
establish
A
B
Module 11
Allow host 172.16.3.13 with Internet connection, but don’t allow the internet to initialize any sessions.
172.16.3.0
172.16.4.0
e0
e1
172.16.3.13
INTERNET
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.255.255 established
Established option
Router(config)# access-list 101 permit tcp any host 172.16.3.13 eq www established
Established option
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.0.255 eq www established
Router(config)# access-list 101 permit icmp any any
Router(config)# access-list 101 permit udp any any eq 53
Note: established argument is limited to tcp which means UDP, ICMP and all other IP protocols will not match, and will be denied, unless specifically allowed. Hence
Established option
Extended ACL
Put the ACL as close as possible to the source
CCNA2 Routing
access-list 1 permit any
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq www
access-list 101 permit ip any any
High Level View
ACLs are instructions that are applied to a router interfaces.
The ACLs describe the kind of packets that are to be permitted or denied.
Permitted or Denial testing can be based on:
source address
destination address
port number
ACLs are configured on the router Interfaces to control access to a network.
ACLs must be defined separately for each protocol; Unique for IP, Unique for IPX; Unique for AppleTalk, etc.
Some times ACLs are called packet filters.
CCNA2 Routing
Placing ACLs
CCNA2 Routing
Module 11
A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders.
Firewalls
provide traffic flow - limit traffic through the network
provide for security
ACL - Access Control Lists
DETAIL
destination address
source address
port number
Each ACL statement is checked in a sequential order (first to last) and when there is a match, no more statements are checked.
If the results are no matches, then the packet (by default) is discarded.
Adding addition ACL statements to the end of an existing list is just a matter of adding the new statement. BUT, if
deleting an existing ACL statement causes the entire access list to be deleted.
ACL - Access Control Lists
access-list 1 permit any
“IN” (inbound) checking is required. The packet:
Is checked against the ACL list (if one exists)
Here It can be interrogated to permit or deny.
If denied the packet is dropped else,
It is matched against the routing table and passed to an “OUT” (outbound interface)
ACL - Access Control Lists
1) Here It can be interrogated to permit or deny.
2) If denied the packet is dropped
3) If permitted then packet is allowed “OUT” (outbound).
The Outbound interface’s ACL is a different list from the inbound)
CCNA2 Routing
Module 11
ACL statements operate in a logical, sequential order. When a match is made the rest of the statements are not checked.
If none the ACL statements match, then there is an implicit deny any rule.
access-list 10 { permit | deny } { test conditions }
access-list 1 deny 192.169.1.0 0.0.255.255
access-list 1 deny 192.168.1.9 0.0.0.0
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any
access-list 10 deny any
ACL - Access Control Lists
standard - has access list value of 1- 99
extended - has access list value of 100 - 199
Must be configured in global configuration mode. Router (config) #
Steps in creating ACLs:
ACLs are used to filter:
inbound traffic, or
Where to place ACLs
Standard ACLs are place as close as possible to the destination.
Extended ACLs are place as close as possible to the source.
CCNA2 Routing
Router(config)# access-list 1 permit { test conditions }
Router(config)# access-list 50 deny { test conditions }
To delete all ACL statements of an access-list
Router(config)# no access-list <ACL number>
Applying the Access List:
Router(config-if)# ip access-group 1
Router(config-if)# ip access-group 50
To delete an ACL group statement (this will not delete the associated list):
Router(config)# no access-group <ACL number>
Where to place ACLs
Module 11
A wildcard is matched with an IP address or protocol address.
It is a 32 bit mask divided into 4 octet, each containing 8 bits.
A 0 in the wildcard means to check the bit in the IP you are testing.
A 1 in the wildcard means ignore the bit in the IP you are testing.
NOTE!!!
Do NOT think subnet mask – that is a totally different meaning not related to the WILDCARD
Wildcard
0.0.0.0 255.255.255.255
Address Wildcard
Router(config)# access-list 1 permit any
Router(config)# access-list 1 deny 0.0.0.0 255.255.255.255
Router(config)# access-list 1 deny any
CCNA2 Routing
To match all the bits of IP address use host:
EX: 172. 30.16. 29 0. 0. 0. 0
Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0
Router(config)# access-list 1 permit host 172.30.16.29
Abbreviations
deny entire protocol suits
Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard] [log]
CCNA2 Routing
Access-list 33 permit 172.16.0.0 0.0.255.255 log
Permits all traffic from 172.16.0.0 and sends messages to the console every time the access list is executed.
Standard ACLs
CCNA2 Routing
Access-list 44 deny 172.16.13.7 0.0.0.0 log
Denies traffic from host 172.16.13.7 and sends message to the console every time the access list is hit.
Standard ACLs
CCNA2 Routing
Denies all traffic from network 172.16.64.0
Standard ACLs
CCNA2 Routing
The log command:
Prints messages to the console which includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets.
The message is generated for the first packet that matches, and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval.
Log is used for debugging only not to be left active on live networks.
Standard ACLs
CCNA2 Routing
Standard ACLs
CCNA2 Routing
show access-list
Displays all access lists & their parameters configured on the router. (Does not show you which interface the list is set on.)
show access-list <ACL number>
Shows only the parameters for the access list <ACL number>. (Does not show you the interface the list is set on.)
show ip access-list
Shows only the IP access lists configured on the router
show ip interface
Shows which interfaces have access lists set (containing an access-group).
show running-config
Standard ACLs
CCNA2 Routing
R(config)# Interface e1
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255
What does it do?
R(config)# Interface e1
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Allows only traffic from source network 172.16.0.0 to be forwarded & and non-172.16.0.0 traffic is blocked.
Standard ACLs
172.16.3.0
172.16.4.0
Non-172.16.0.0
e0
e1
s0
172.16.4.13
server
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0
R(config)# access-list 1 permit any
What does this do?
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0
R(config)# access-list 1 permit any
Denies traffic from a specific device, 172.16.4.13 & allows all other traffic thru e0 to network 172.16.3.0.
Standard ACLs
access-list 1 permit any
What does this do?
access-list 1 permit any
Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru e0 to network 172.16.3.0.
Standard ACLs
check for specific protocol
permit or denied applications – pings, telnets, FTP, etc.
ACL values range between 100 – 199 (for IP)
Extended ACLs
CCNA2 Routing
20 FTP data [TCP]
23 Telnet [TCP]
53 DNS [TCP, UDP]
destination destination-mask operator operand {established}
ACL number
100 – 199
permit | deny
protocol
source -- Source address source-wildcard mask
destination -- Destination address destination-wildcard mask
Extended ACLs
destination destination-mask operator operand {established}
operator
established
Allows TCP traffic to pass if the packet uses an established connection ( for example, has ACK bits set ).
access-list 101 permit tcp 172.16.4.0 0.0.0.255 any eq 25
Extended ACLs
CCNA2 Routing
Router(config)# int E0
Extended ACLs
CCNA2 Routing
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit ip any any
What does this do?
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit ip any any
Blocks FTP traffic from all hosts on 172.16.4.0 to any device on 172.16.3.0 & allows all other traffic.
Extended ACLs
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any
What does this do?
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any
Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network, and permits all other traffic thru e0 to any address.
Extended ACLs
NOTE:
CCNA2 Routing
Module 11
Standard/Extended ACL
You can not add ACL statements into the body of the access-list (ONLY at the end of the list).
Otherwise the access list must be deleted first, and then rewritten.
Therefore it is prudent to write your access-list in text format using “notepad”, and then transfer it to your router.
CCNA2 Routing
NOTE:
A NAMED ACL is an alphanumeric string instead of the ACL number (1 - 199 )
NAMED ACLs are not compatible with Cisco IOS release prior to Release 11.2
Named ACLs can be used for either standard & extended
You cannot configure the same name for multiple ACLs.
use Name ACL when you want to intuitively identify ACLs
use Name ACL when you have more than 99 standard & 100 extended ACLs have been configured on a router for a given protocol
CCNA2 Routing
ip access-list standard internetfilter
CCNA2 Routing
Module 11
Named ACL
A named ACL will allow the deletion of statements, but will only allow for the statements to be inserted a the end of the list.
CCNA2 Routing
10101100.00010000.00000000.00000000
Incoming packet with address of 172.18.4.2. Will it be permitted?
Source : 10101100.00010010.00000100.00000010
10101100.00010000.00000000.00000000
Incoming packet with address of 172.18.4.2. Will it be permitted?
Source : 10101100.00010010.00000100.00000010
No! Hence the incoming packet will not be permitted.
CCNA2 Routing
10101100.00010000.00000000.00000000
Incoming packet with address of 172.16.4.2. Will it be permitted?
Source : 10101100.00010000.00000100.00000010
Yes! Hence the incoming packet will be permitted.
CCNA2 Routing
10101100.00010000.00000000.00000000
Incoming packet with address of 172.16.4.1. Will it be permitted?
Source : 10101100.00010000.00000100.00000001
10101100.00010000.xxxxxxxx. xxxxxxx1 Result
Incoming packet with address of 172.16.4.4. Will it be permitted?
Source : 10101100.00010000.00000100.00000100
10101100.00010000. xxxxxxxx. xxxxxxx0 Result
10101100.00010000.00000000.00000000
Incoming packet with address of 172.16.4.5. Will it be permitted?
Source : 10101100.00010000.00000100.00000101
10101100.00010000.xxxxxxxx. xxxxxxx1 Result
So the access list perform what operation? Permits 172.16.4.4, and denies 172.16.4.1 and 172.16.4.5
Permits all even addresses from the network 172.16.0.0
CCNA2 Routing
Permit/Deny BLOCKS of addresses
One can permit or deny a block of addresses. However, the blocks must be a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.)
When you need to specify a range of addresses, you choose the closet block size for your needs.
You want to block access to part of network that is in the range from 198.16.99.0 through 198.16.99.7. This is a block size of 8. Hence:
198.16.99.0 0.0.0.7
Also in this case for a block of 8, the beginning address must either start at 0, 8, 16, etc.
CCNA2 Routing
Module 11
One has a subnet whose addresses range from 200.17.2.128 to 200.17.2.191. One wants to divide this network so the top half are permitted and the bottom half is denied to any other network. What is the access lists?
The block range is:
Permit/Deny BLOCKS of addresses
Denies a block of 64 address starting at 200.16.88.64
Permit/Deny BLOCKS of addresses
Virtual Terminal ACL
You can control access via the VTY ports controlling telnet sessions coming into the router.
You write the ACL as usual, but use access-class to apply it.
As an example:
Router(config t)# line vty 0 4
Router(config-line)# login
Router(config-line)# access-class 1 in
Note: only numbered access lists can be applied to VTY virtual lines!
CCNA2 Routing
Module 11
Established option
The ‘establish’ option in an access-list used only with TCP datagrams. There are cases when you want to stop host B from initiating a connection with a host A while permitting A to initiate connections with B.
establish
response
establish
A
B
Module 11
Allow host 172.16.3.13 with Internet connection, but don’t allow the internet to initialize any sessions.
172.16.3.0
172.16.4.0
e0
e1
172.16.3.13
INTERNET
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.255.255 established
Established option
Router(config)# access-list 101 permit tcp any host 172.16.3.13 eq www established
Established option
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.0.255 eq www established
Router(config)# access-list 101 permit icmp any any
Router(config)# access-list 101 permit udp any any eq 53
Note: established argument is limited to tcp which means UDP, ICMP and all other IP protocols will not match, and will be denied, unless specifically allowed. Hence
Established option
Extended ACL
Put the ACL as close as possible to the source
CCNA2 Routing
