ACL(Access Control Lists)

Download Report

Transcript ACL(Access Control Lists)

Standard , Extended and Named ACL

In this lesson, you will learn:
◦ Purpose of ACLs
 Its application to an enterprise network
◦ How ACLs are used to control access
◦ Types of Cisco ACLs.
 Standard ACL
 Extended ACL
 Named ACL
An ACL is a router
configuration script that
controls whether a router
permits or denies packets
 By default, a router does
not have any ACLs
configured and therefore
does not filter traffic.


These are examples of IP ACLs that can be
configured in Cisco IOS Software:
◦ Standard ACLs
◦ Extended ACLs
◦ IP-named ACLs
◦ And Others
Use ACLs
in firewall routers positioned
between your internal network and an
external network such as the Internet.
Use ACLs
on a router positioned between
two parts of your network to control
traffic entering or exiting a specific part of
your internal network.
Configure ACLs
on border routers, the
routers situated at the edges of your
networks to act as a buffer from the outside
network




ACL statements operate in sequential
order.
If a packet header and an ACL
statement match, the rest of the
statements in the list are skipped
If a packet header does not match an
statement, the packet is tested against
the next statement in the list.
A final implied (IMPLICIT DENY)
statement covers all packets for which
conditions did not test true.
# access-list 99 deny 192.168.10.0 0.0.0.255
# access-list 99 permit any

Extended ACLs
◦ Extended ACLs filter IP packets
based on several attributes,
 protocol type,
 source and IP address, destination
IP address,
 source TCP or UDP ports,
destination TCP or UDP ports
◦ In the figure, ACL 102 deny FTP
and Telnet traffic originating
from any address on the
192.168.10.0/24 from leaving
the network
Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq telnet
Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq ftp
Access-list 102 permit any
Apply access list ‘inbound’ to Fa 0/1 interface of R1







Deny all traffic from private IP address
Allow all IP sessions already established
with the ack bit turned.
deny anyone from entering your network
from the outside with an internal address
(spoofing your network) and log each
packet occurrence.
deny the infamous Donald Dick and
Prosiak ports.
deny the Deepthroat and Sockets des Troie
ports.
deny any snmp requests from the outside.
SNMP is a valuable tool to hackers for
network discovery.
permits packets that were not previously
rejected to enter your network.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
access-list 100 deny ip 10.0.0.0
0.255.255.255 any log
access-list 100 deny ip 172.16.0.0
0.15.255.255 any log
access-list 100 deny ip 192.168.0.0
0.0.255.255 any log
access-list 100 deny ip any host 127.0.0.1 log
access-list 100 permit ip any [your network
IP address] [your network mask] est
access-list 100 deny ip [your network IP
address] [your network mask] any log
access-list 100 deny tcp any any eq 22222
log
access-list 100 deny tcp any any range 60000
60020 log
access-list 100 deny udp any any eq snmp log
access-list 100 permit ip any any






Entry 5—“permit ip any [your network IP address] [your network mask] est”—
automatically allows all IP sessions already established with the ack bit turned. The
purpose of this entry is to ensure that if your firewall allows a connection request to
leave your network, the router doesn’t stop its return.
Entry 6—“deny ip [your network IP address] [your network mask] any log”—denies
anyone from entering your network from the outside with an internal address
(spoofing your network) and logs each packet occurrence. This is very important for
good security.
Entry 7—“deny tcp any any eq 22222 log”—denies the infamous Donald Dick and
Prosiak ports.
Entry 8—“deny tcp any any range 60000 60020 log”—denies the Deepthroat and
Sockets des Troie ports.
Entry 9—“deny udp any any eq snmp log”—denies any snmp requests from the
outside. SNMP is a valuable tool to hackers for network discovery.
Entry 10—“permit ip any any”—permits packets that were not previously rejected
to enter your network.