Transcript ACL(Access Control Lists)

ACL(Access Control Lists)
Standard , Extended and Named ACL
Objectives
 In this lesson, you will learn:
 Purpose of ACLs
 Its application to an enterprise network
 How ACLs are used to control access
 Types of Cisco ACLs.
 Standard ACL
 Extended ACL
 Named ACL
ACL (Access Control Lists)
Allow
Email/Deny
Telnet
 An ACL is a router
configuration script that
controls whether a router
permits or denies packets
No video to S1
No access to S2 for S1
 By default, a router does
not have any ACLs
configured and therefore
does not filter traffic.
No FTP
No web
Types of ACL
 These are examples of IP ACLs that can
be configured in Cisco IOS Software:
 Standard ACLs
 Extended ACLs
 IP-named ACLs
 And Others
Where to apply ACL - Guidelines for using ACLs
Use ACLs in firewall routers
positioned between internal
network and an external network
Use ACLs on a router positioned
between two parts of your
network to control traffic entering
or exiting a specific part of your
internal network.
Configure ACLs on border
routers, the routers situated at
the edges of your networks to act
as a buffer from the outside
network
Allow Email/Deny
Telnet
No video to S1
No access to S2 for S1
No FTP
No web
Testing Packets with ACLs
 Configure ACL
Example: Permit traffic from a particular host 192.5.5.10
IP mask
Wild card mask
Router(config)#access-list 1 permit 192.5.5.10 0.0.0.0
 Router(config)# access-list 1 deny any

 Wild card mask
 A wildcard mask is written to tell the router what bits in the address to match and
what bits to ignore.
 A “0” bit means means check this bit position. A “1” means ignore this bit
position.
 Note: Notice that this wildcard mask is a mirror image of the subnet mask
for the address
 Apply to appropriate router interface
 In or out
 Example: Router(config-if)# ip access-group 1 in
Practice Wild card masks
 Write a wildcard mask for all hosts in
192.168.20.0 subnet
 Write a wildcard mask for all hosts in 10.10.0.0
 Write a wildcard mask for the host 192.168.1.100
Masking Practice
 Write an ip mask and wildcard mask for the subnet
172.16.128.0 with a subnet mask of 255.255.128.0?
 Answer: 172.16.128.0 0.0.127.255
 Write an ip mask and wildcard mask for the subnet
10.0.8.0 with a subnet mask of 255.255.248.0?
 Answer: 10.0.8.0 0.0.7.255
ACL Operation - Inbound ACLs
 ACL statements operate in sequential
order.
 If a packet header and an ACL
statement match, the rest of the
statements in the list are skipped
 If a packet header does not match an
statement, the packet is tested
against the next statement in the list.
 A final implied (IMPLICIT DENY)
statement covers all packets for which
conditions did not test true.
Placement of Standard ACL
# access-list 99 deny 192.168.10.0 0.0.0.255
# access-list 99 permit any
R3(config)#interface serial 0/0/1
R3(config-if)# ip access-group 1 in
Extended ACL
 Extended ACLs
◦ Filter IP packets based on
several attributes:
 protocol type,
 source and IP address,
destination IP address,
 source TCP or UDP ports,
destination TCP or UDP ports
◦ Example: ACL 102 deny FTP
and Telnet traffic originating from
any address on the
192.168.10.0/24 from leaving
the network
Placement of ACLs - Extended.
Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq telnet
Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq ftp
Access-list 102 permit any
Apply access list ‘inbound’ to Fa 0/1 interface of R1
R1(config)# interface fa 0/1
R1(config-if)# ip access-group 102 in
What does the following ACL do?
Access-list 1 permit any
Access-list 1 deny host 10.1.1.1
Access-list 1 deny any
Access-list 1 deny host 10.1.1.1
Access-list 1 deny 192.168.1.0 0.0.0.255
Commenting ACLs
Named ACL
Extended NACLs
Editing named ACLs
Example Network
Controlling inbound access

Deny all traffic from private IP
address

Allow all IP sessions already established
with the ack bit turned.

deny anyone from entering your network
from the outside with an internal address
(spoofing your network) and log each
packet occurrence.

deny the infamous Donald Dick and
Prosiak ports.

deny the Deepthroat and Sockets des
Troie ports.

deny any snmp requests from the
outside. SNMP is a valuable tool to
hackers for network discovery.

permits packets that were not previously
rejected to enter your network.
Example:Inbound access control list
1. access-list 100 deny ip 10.0.0.0 0.255.255.255
any log
Administrative PC
2. access-list 100 deny ip 172.16.0.0 0.15.255.255
any log
3. access-list 100 deny ip 192.168.0.0 0.0.255.255
any log
4. access-list 100 deny ip any host 127.0.0.1 log
5. access-list 100 permit ip any est
inbound
traffic
6. access-list 100 deny ip < network IP address>
<your network mask> any log
7. access-list 100 deny tcp any any eq 22222 log
8. access-list 100 deny tcp any any range 60000
60020 log
Perimeter
router
9. access-list 100 deny udp any any eq snmp log
10. access-list 100 permit ip any any
Administrative PC
Explaining commands






Entry 5—“permit ip any [your network IP address] [your network mask]
est”—automatically allows all IP sessions already established with the ack bit
turned. The purpose of this entry is to ensure that if your firewall allows a
connection request to leave your network, the router doesn’t stop its return.
Entry 6—“deny ip [your network IP address] [your network mask] any log”—
denies anyone from entering your network from the outside with an internal
address (spoofing your network) and logs each packet occurrence. This is
very important for good security.
Entry 7—“deny tcp any any eq 22222 log”—denies the infamous Donald
Dick and Prosiak ports.
Entry 8—“deny tcp any any range 60000 60020 log”—denies the Deepthroat
and Sockets des Troie ports.
Entry 9—“deny udp any any eq snmp log”—denies any snmp requests from
the outside. SNMP is a valuable tool to hackers for network discovery.
Entry 10—“permit ip any any”—permits packets that were not previously
rejected to enter your network.
Monitoring and verifying ACLs
Task: Configure standard and
Extended ACL