Monday, 22 May 2017

CISCO – IP ACCESS CONTROL LISTS (ACL):

This Document Describes How IP Access Control Lists (ACL) Can Filter Network Traffic. One Of The Simplest Ways Of Controlling The Traffic In And Out Of A Cisco Device Is By Using An Access List (ACL). This Article Discusses The Basic Concepts Of How ACLS Work And Shows How A Basic ACL Is Configured. 

REQUIREMENTS:


There Are No Specific Prerequisites For This Document. The Concepts Discussed Are Present In Cisco IOS® Software Releases 8.3 Or Later. This Is Noted Under Each Access List Feature. 

INTRODUCTION:


The CISCO IOS Software Has Filtering Capability To Permit Or Deny Specific Traffic From Entering Or Leaving The Corporate Network. These Filters Are Called Access Control List (ACLs). 

An Access Control List May Also Be Used For Purposes Other Than Filtering Ip Traffic, Such As Defining Traffic To Network Address Translate (NAT) Or Encrypt, Or Filtering NON−IP Protocols Such As APPLETALK OR IPX. 

Also An ACL Are Used For Filtering Traffic Based On A Given Filtering Criteria On A Router Or Switch Interface. Based On The Conditions Supplied By The ACL, A Packet Is Allowed Or Blocked From Further Movement. Access Lists Filter Network Traffic By Controlling Whether Routed Packets Are Forwarded Or Blocked At The Router's Interfaces. Your Router Examines Each Packet To Determine Whether To Forward Or Drop The Packet, Based On The Criteria You Specified Within The Access Lists. 

The ACL Criteria Can Include The Source Address Of The Traffic, The Destination Address Of The Traffic, The Upper-Layer Protocol, Or Other Information. 

When Used To Control Traffic, It Is Recommended That The ACL In General Are Applied To The Interface Closest To The Segment Where The Traffic Originates. 

WHY YOU SHOULD CONFIGURE ACCESS LISTS: There Are Many Reasons To Configure Access Lists. 

  • You Can Use Access Lists To Restrict Contents Of Routing Updates, Or To Provide Traffic Flow Control.


  • But One Of The Most Important Reasons To Configure Access Lists Is To Provide Security For Your Network.


  • NOTE: Access Lists Of Some Protocols Must Be Identified By A Name, And A Number Must Identify Access Lists Of Other Protocols. Either A Name Or A Number Can Identify Some Protocols. When A Number Is Used To Identify An Access List, The Number Must Be Within The Specific Range Of Numbers That Is Valid For The Protocol. 

    CISCO ACLS Are Available For Several Types Of Routed Protocols; However, We Will Be Discussing ACLS Pertaining To TCP/IP Protocol Only. PROTOCOLS WITH ACCESS LISTS SPECIFIED BY NAMES: 

  • Protocol
  • Apollo Domain 
  • IP 
  • IPX 
  • ISO CLNS 
  • NetBIOS IPX 
  • Source-route bridging NetBIOS

    There Are Several Different Types Of ACL That Are Defined By Either The ACL Number Or By The Syntax Used To Define The ACL When Using Named ACLs. 

    COMMONLY USE TWO TYPES OF ACL:


  • STANDARD ACCESS LISTS: Can Only Control Traffic Based On The Source Ip Address. >1 To 99 For Standard Lists

  • EXTENDED ACCESS LISTS: This Is More Powerful, They Can Identify Traffic based On Source IP, Source Port, Destination IP, And Destination Port. 100 To 199 For Extended Lists.

    HOWEVER, MANY OTHER RANGES ARE ALSO POSSIBLE.
  • STANDARD IP ACL: 1 To 99 And 1300 To 1999
  • EXTENDED IP ACL: 100 To 199 And 2000 To 2699. An Extended IP Access-List Can Define The Source And Destination IP Address Of Traffic, Along With Source And Destination Port Numbers.
  • Also, While A STANDARD ACCESS-LIST Only Defines IP Traffic,
  • EXTENDED ACCESS-LIST Can Define TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic.

    You Can Specify ACL For A Number Of Different Protocols. This Example Shows The Output On A Cisco IOS Device When Performing An Access-List:

    Router(config)#Access-List ?

    <1-99>           IP standard access list
    <100-199>      IP extended access list
    <200-299>      Protocol type-code access list
    <300-399>      DECnet access list
    <600-699>      Appletalk access list
    <700-799>      48-bit MAC address access list
    <800-899>      IPX standard access list
    <900-999>      IPX extended access list
    <1000-1099>   IPX SAP access list
    <1100-1199>   Extended 48-bit MAC address access list
    <1200-1299>   IPX summary address access list


    WHEN TO CONFIGURE ACCESS LISTS:


    Access Lists Should Be Used In "Firewall" Routers, Which Are Often Positioned Between Your Internal Network And An External Network Such As The Internet. You Can Also Use Access Lists On A Router Positioned Between Two Parts Of Your Network, To Control Traffic Entering Or Exiting A Specific Part Of Your Internal Network.

    To Provide The Security Benefits Of Access Lists, You Should At A Minimum Configure Access Lists On Border Routers—Routers Situated At The Edges Of Your Networks.

    This Provides A Basic Buffer From The Outside Network, Or From A Less Controlled Area Of Your Own Network Into A More Sensitive Area Of Your Network.

    On These Routers, You Should Configure Access Lists For Each Network Protocol Configured On The Router Interfaces. You Can Configure Access Lists So That Inbound Traffic Or Outbound Traffic Or Both Are Filtered On An Interface.

    HOW TO WRITING AN ACCESS LIST:


    1) Every ACL Command Starts With "Access-List".

    Command Thus Far: "Access-List"

    2) Every ACL Must Have A Group Name, To Group The List Together. We'll Use "Prem".

    Command Thus Far: "Access-List Prem"

    3) Every ACL Command Must Specify Whether To Permit Or Deny. For This Example, We'll Use "Deny".

    Command Thus Far: "Access-List Prem Deny"

    4) Every ACL Must Specify What Protocol To Filter By. IP, TCP, UDP, Etc.. We'll Use "IP" For This.

    Command Thus Far: "Access-List Test Deny Ip"

    5) Every ACL Must Specify What Addresses To Apply The Filter To. Remember That The First Address Listed Is ALWAYS The SOURCE Address. Now Let's Also Assume Our Network Admin Hates Google, And Is Paranoid. So He Wants To Block All Access He Thinks Google Is Trying To Make To His System.

    Command Thus Far: "Access-List Prem Deny Ip 64.233.167.147 255.255.255.255"

    NOTE: You Use 255.255.255.255 To Specify That We Are Dealing With One Host.

    You Can Also Use The Following Command To Shorten The ACL Further: 

    Command Thus Far: "Access-List Prem Deny Ip Host 64.233.167.147"

    NOTE: This Method Reduces Characters Used, And Helps Make The Command More Understandable, As You Are Blocking That One Host.

    6) Every ACL Must Also Specify The Hosts To Which The Source Is Trying To Reach.. We'll Assume We Have Multiple Networks Inside Our Network 193.100.1.0 And 193.100.4.0

    Command Thus Far: "Access-List Prem Deny Ip Host 64.233.167.147 193.100.0.0 255.255.0.0 NOTE: This Will Effectively Block Google From Making A Connection To Both Networks, And All Networks Between And After On That Network. To Shorten That Up, You Can Use The Following To Block Google From Making Connections To "ALL Or ANY Networks" Inside.

    Completed ACL Command: "Access-List Prem Deny Ip Host 64.233.167.147 Any"

    NOTE: As You Notice, This Reduced Characters Dramatically, And Effectively Blocks The Host Google From Connection To ANY Node Or Network On Any Interface Connected To The PIX. 7) Now, If You Wanted To Filter By Port #, Say Port 80, As Every Paranoid Network Admin Knows.. When Google Reaches Out To Hack You, It Will Only Do So On Port 7485.. And Using TCP Of Course. Here Is What It Would Look Like.

    Completed ACL Command: "Access-List Prem Deny Tcp Host 64.233.167.147 Any Eq 7485 NOTE: As You Notice, We Added "Eq" To The Equation. This Indicator Tells The PIX That The Next Modifier Is The Port To Filter On.

    8) And Then Of Course, You Must Bind The Access-List To An Interface. 

    Command: "Access-Group Prem In Interface Outside"

    NOTE: This Command Binds Access-List Test To All Traffic Coming Into The Outside Interface. The Command Will Always Be The Same, Except The Access-List Name And Interface. Always Into An Interface"

    This Specific Example Showed How To Make An ACL Which Filters Traffic Coming From The "Outside" Can Be Applied To Any Interface, As Long As You Make Sure To Remember That The First Address Is The "Source", And The Second Is The "Destination". So For An ACL Covering The "Inside" Interface, You Must Specify The Internal Host Or Network First, Before The Public IP Or Network.

    WHEN REFERRING TO A ROUTER INBOUND / OUTBOUND INTERFACES, THESE TERMS HAVE THE FOLLOWING MEANINGS:

  • OUT − > Traffic That Has Already Been Through The Router And Is Leaving The Interface. The Source Would Be Where It's Been (On The Other Side Of The Router) And The Destination Is Where It's Going.
  • IN − > Traffic That Is Arriving On The Interface And Which Will Go Through The Router; The Source Would Be Where It's Been And The Destination Is Where It's Going (On The Other Side Of The Router).

    The "In" ACL Has A Source On A Segment Of The Interface To Which It Is Applied And A Destination Off Of Any Other Interface.

    The "Out" ACL Has A Source On A Segment Of Any Interface Other Than The Interface To Which It Is Applied And A Destination Off Of The Interface To Which It Is Applied.

    After The ACLs Is Defined, It Must Be Applied To The Interface (Inbound Or Outbound). The Syntax For Applying An ACLs To A Router Interface Is Given Below:

    IF THE ACL IS INBOUND: The Cisco IOS Software Checks The ACL's Criteria Statements For A Match When The Router Receives A Packet. If The Packet Is Permitted, The Software Continues To Process The Packet. If The Packet Is Denied, The Software Discards The Packet.

    IF THE ACL IS OUTBOUND: The Software Checks The ACL's Criteria Statements For A Match After Receiving And Routing A Packet To The Outbound Interface. If The Packet Is Permitted, The Software Transmits The Packet. If The Packet Is Denied, The Software Discards The Packet.

    RELATED COMMANDS DESCRIPTION


    Access-Class - > Restricts Incoming And Outgoing Connections Between A Particular Vty (Into A Cisco Device) And The Addresses In An Access List.

    Access-List (IP Standard) - > Defines A Standard IP Access List.

    Clear Access-Template - > Clears A Temporary Access List Entry From A Dynamic Access List Manually.

    Distribute-List In (IP) - > Filters Networks Received In Updates.

    Distribute-List Out (IP) - > Suppresses Networks From Being Advertised In Updates.

    Ip Access-Group - > Controls Access To An Interface.

    Ip Access-List - > Defines An IP Access List By Name.

    Ip Accounting - > Enables IP Accounting On An Interface.

    Logging Console - > Limits Messages Logged To The Console Based On Severity.

    To apply the standard ACL created in the previous example, use the following commands:

    Rouer(Config)#Interface Serial 0

    Rouer(Config-If)#Ip Access-Group 10 Out

    Show Access-Lists - > Displays The Contents Of Current IP And Rate-Limit Access Lists.

    Show Ip Access-List - > Displays The Contents Of All Current IP Access Lists.

    Show Running-Config Access-List - > Displays The Current Running Access-List Configuration

    CREATING AND EDITING ACCESS LIST STATEMENTS ON A TFTP SERVER:


    Because The Order Of Access List Criteria Statements Is Important, And Because You Cannot Reorder Or Delete Criteria Statements On Your Router, Cisco Recommends That You Create All Access List Statements On A TFTP Server, And Then Download The Entire Access List To Your Router.

    To Use A TFTP Server, Create The Access List Statements Using Any Text Editor, And Save The Access List In ASCII Format To A TFTP Server That Is Accessible By Your Router. Then, From Your Router, Use The Copy Tftp Running-Config File_Id Command To Copy The Access List To Your Router. Finally, Perform The Copy Running-Config Startup-Config Command To Save The Access List To Your Router's NVRAM.

    Then, If You Ever Want To Make Changes To An Access List, You Can Make Them To The Text File On The TFTP Server, And Copy The Edited File To Your Router As Before.

    NOTE: The First Command Of An Edited Access List File Should Delete The Previous Access List (For Example, Type A No Access-List Command At The Beginning Of The File). If You Do Not First Delete The Previous Version Of The Access List, When You Copy The Edited File To Your Router You Will Merely Be Appending Additional Criteria Statements To The End Of The Existing Access List.

    A STANDARD ACCESS LIST:


    A STANDARD ACCESS LIST (SAL) Only Allows You To Permit Or Deny Traffic From Specific IP Addresses. The Destination Of The Packet And The Ports Involved Do Not Matter. The Most Common Numbers Used For Standard IP ACLs: 1 To 99 And 1300 To 1999.

    HERE IS AN EXAMPLE:

    Access-List 10 Permit 192.168.3.0 0.0.0.255

    This List Allows Traffic From All Addresses In The Range 192.168.3.0 To 192.168.3.255

    You Can See How The Last Entry Looks Similar To A Subnet Mask, But With Cisco Acls They Use Inverse Subnet Masks. Also Realize That By Default, There Is An Implicit Deny Added To Every Access List. If You Entered The Command:

    show access-list 10

    THE OUTPUT WOULD BE:

    Access-List 10 Permit 192.168.3.0 0.0.0.255
    Access-List 10 Deny Any

    Standard IP Access Control Lists Use The Source IP Addresses For Matching Operations.

    THE FOLLOWING IS AN EXAMPLE OF USING A STANDARD ACL TO BLOCK ALL TRAFFIC EXCEPT THAT FROM SOURCE 10.1.1.X

    ROUTER(CONFIG)#Access−List 1 Permit 10.1.1.0 0.0.0.255

    ROUTER(CONFIG)#Access-List 1 Deny Any

    The Second Step Is To Apply The Access List On The Correct Interface, As The Access List Being Configured Is Standard Access List, It Is Best For It To Be Applied As Close To The Destination As Possible.

    Router(Config)#Interface F0/1

    Router(Config-If)#Ip Access 1 Out

    DELETING ACCESS LIST ENTRY (CLEAR / REMOVE OUT ANY PREVIOUSLY DEFINED AC LIST):


    ROUTER(CONFIG)# No Access-List 1

    It Is Also Good Practice To Precede Any Access List Configuration With The No Access-List Access-List-Number Command To Clear Out Any Previously Defined Commands.

    NOTE:This Should Remove The Entry We Just Added From The ACL. Else, If You Try To Remove From The ACL From The Global Configuration Mode, You Risk Losing The Complete ACL. Alternatively, Copy The ACL Onto A Notepad And Remove The Lines You Wanted To And Then Add The ACL Back Onto The Router.

    EXAMPLE – 2 FOR STANDARD ACCESS LIST:

    What Do I Do When Too Much Traffic Is Being Denied?

    If Too Much Traffic Is Being Denied, Study The Logic Of Your List Or Try Defining And Applying An Additional Broader List. The Show Ip Access−Lists Command Provides A Packet Count Showing Which ACL Entry Is Being Hit.

    Using The Log Keyword At The End Of The Individual ACL Entries Shows The ACL Number And Whether The Packet Was Permitted Or Denied, In Addition To Port−Specific Information.

    SOURCE ADDRESSES FROM RESERVED ADDRESS SPACE DEFINED IN RFC 1918

    Router(Config)#Access-List 9 Deny 127.0.0.0 0.255.255.255 Log
    Router(Config)#Access-List 9 Deny 10.0.0.0 0.255.255.255 Log
    Router(Config)#Access-List 9 Deny 172.16.0.0 0.15.255.255 Log
    Router(Config)#Access-List 9 Deny 192.168.0.0 0.0.255.255 Log
    Router(Config)#Access-List 9 Permit Any

    APPLY ACCESS-LIST 9 TO THE INCOMING INTERNET INTERFACE INTERFACE SERIAL 0/0: 

    Router(Config)#Int S0/0
    Router(Confir-If)#Ip Address 161.71.73.33 255.255.255.248
    Router(Confir-If)#Ip Access-List 9 In

    EXTENDED IP ACCESS CONTROL LISTS:


    Extended IP Acls Allow You To Permit Or Deny Traffic From Specific IP Addresses To A Specific Destination IP Address And Port.

    Extended ACL Were Introduced In Cisco IOS Software Release 8.3. Extended Acls Control Traffic By Comparing The Source And Destination Addresses Of The IP Packets To The Addresses Configured In The ACL. The Following Is The Command Syntax Format Of Extended Acls. (Lines Are Wrapped Here For Spacing Considerations.)

    It Also Allows You To Have Granular Control By Specifying Controls For Different Types Of Protocols Such As ICMP, TCP, UDP, Etc Within The ACL Statements. In Cisco IOS Software Release 12.0.1.

    AN EXTENDED ACCESS-LIST IS AN Ordered List Of Statements That Can Deny Or Permit Packets Based On Source And Destination IP Address, Port Numbers And Upper-Layer Protocols. .

    STANDARD ACCESS LIST CAN DENY OR PERMIT Packets By Source Address Only And Permit Or Deny Entire TCP/IP Protocol Suite. Therefore By Extended, It Means Greater Functionality And Flexibility. .

    Extended Access List Is A Good Example Of “Packet Filtering” Where The Flow Of Data Packets Can Be Controlled In Your Network. It Can Filter Based On Source And Destination, Specific IP Protocol And Port Number. .

    The Most Common Numbers Used For Extended IP Acl: 100 To 199 And 2000 To 2699..

    THE FOLLOWING COMMAND DEFINES AN EXTENDED IP ACL NUMBER AND ITS ACCESS CONDITIONS:


    Access-List Access-List-Number {Deny | Permit} Protocol Source Source-Wildcard Destination Destination-Wildcard [Operator] [Operand][Precedence Precedence][Tos Tos] [Established] [Log | Log-Input]

    NOTE: You Can Use The Abbreviation Host For A Specific Source And For A Specific Destination Without Having To Include The Source Wildcard Or The Destination Wildcard. The Log-Input Parameter Will Include The Interface That The Packet Applies To And Is The Recommended Logging Parameter.

    THE FOLLOWING IS THE COMMAND SYNTAX FORMAT OF EXTENDED ACL.


    IP

    Access−List Access−List−Number [Dynamic Dynamic−Name [Timeout Minutes]] {Deny | Permit} Protocol Source Source−Wildcard Destination Destination−Wildcard [Precedence Precedence] [Tos Tos] [Log | Log−Input] [Time−Range Time−Range−Name]

    ICMP

    Access−List Access−List−Number [Dynamic Dynamic−Name [Timeout Minutes]] {Deny | Permit} Icmp Source Source−Wildcard Destination Destination−Wildcard [Icmp−Type | [[Icmp−Type Icmp−Code] | [Icmp−Message]] [Precedenceprecedence] [Tos Tos] [Log | Log−Input] [Time−Range Time−Range−Name]

    TCP

    Access−List Access−List−Number [Dynamic Dynamic−Name [Timeout Minutes]] {Deny | Permit} Tcp Source Source−Wildcard [Operator [Port]] Destination Destination−Wildcard [Operator [Port]] [Established] [Precedence Precedence] [Tos Tos] [Log | Log−Input] [Time−Range Time−Range−Name]

    UDP

    Access−List Access−List−Number [Dynamic Dynamic−Name [Timeout Minutes]] {Deny | Permit} Udp Source Source−Wildcard [Operator [Port]] Destination Destination−Wildcard [Operator [Port]] [Precedence Precedence] [Tos Tos] [Log | Log−Input] [Time−Range Time−Range−Name]

    DEFINE AN EXTENDED IP ACCESS LIST:


    To Define An Extended IP Access List, Use The Extended Version Of The Access-List Global Configuration Command. To Remove The Access Lists, Use The No Form Of This Command.

    Access-List Access-List-Number [Dynamic Dynamic-Name [Timeout Minutes]]{Deny | Permit } Protocol Source Source-Wildcard Destination Destination-Wildcard [Precedence Precedence] [Tos Tos] [Log ]

    DELETING AN EXTENDED ACCESS LIST ENTRY:


    This Section Shows How To Remove An ACE. If The Deleted Entry Is The Only Entry In The List, Then The List And Listname Are Deleted.

    Hostname(Config)# No Access-List Access_List_Name [Line Line_Number] [Extended] {Deny | Permit} Protocol Source_Address Mask [Operator Port] Dest_Address Mask [Operator Port |Icmp_Type] [Inactive]

    Or

    No Access-List Access-List-Number

    MONITORING EXTENDED ACCESS LISTS


    Show Access List - > Displays The Access List Entries By Number.

    Show Running-Config Access-List - > Displays The Current Running Access-List Configuration.

    HOW TO CREATE EXTENDED IP ACCESS LISTS:


    Access-List 110 - Applied To Traffic Leaving The Office (Outgoing)

    Access-List 110 Permit Tcp 92.128.2.0 0.0.0.255 Any Eq 80

    ACL 110 Permits Traffic Originating From Any Address On The 92.128.2.0 Network. The 'Any' Statement Means That The Traffic Is Allowed To Have Any Destination Address With The Limitation Of Going To Port 80. The Value Of 0.0.0.0/255.255.255.255 Can Be Specified As 'Any'.

    APPLYING AN ACL TO A ROUTER INTERFACE:


    After The ACL Is Defined, It Must Be Applied To The Interface (Inbound Or Outbound). The Syntax For Applying An ACL To A Router Interface Is Given Below: 

    Interface 
    Ip Access-Group {Number|Name} {In|Out}

    An Access List May Be Specified By A Name Or A Number. "In" Applies The ACL To The Inbound Traffic, And "Out" Applies The ACL On The Outbound Traffic. 

    TO APPLY THE ACL ONTO AN INTERFACE,


    ciscrouter(config)# int fa0/0

    ciscorouter(config-if)# ip access-group 110 out

    The above applies the Extended ACL 110 on the traffic exiting the interface. Remember the Per Protocol Per INterface Per Direction rule when applying rules to the interfaces.

    EXAMPLES FOR EXTENDED ACCESS LISTS


    The Following Access List Allows All Hosts (On The Interface To Which You Apply The Access List) To Go Through The Adaptive Security Appliance:

    Hostname(Config)# Access-List ACL_IN Extended Permit Ip Any Any

    The Following Sample Access List Prevents Hosts On 192.168.1.0/24 From Accessing The 209.165.201.0/27 Network. All Other Addresses Are Permitted. 

    Hostname(Config)# Access-List ACL_IN Extended Deny Tcp 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224

    Hostname(Config)# Access-List ACL_IN Extended Permit Ip Any Any

    If You Want To Restrict Access To Selected Hosts Only, Then Enter A Limited Permit ACE. By Default, All Other Traffic Is Denied Unless Explicitly Permitted.

    Hostname(Config)# Access-List ACL_IN Extended Permit Ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224

    The Following Access List Restricts All Hosts (On The Interface To Which You Apply The Access List) From Accessing A Website At Address 209.165.201.29. All Other Traffic Is Allowed.

    Hostname(Config)# Access-List ACL_IN Extended Deny Tcp Any Host 209.165.201.29 eq www

    Hostname(Config)# Access-List ACL_IN Extended Permit Ip Any Any

    The Following Access List That Uses Object Groups Restricts Several Hosts On The Inside Network From Accessing Several Web Servers. All Other Traffic Is Allowed.

    Hostname(Config-Network)# Access-List ACL_IN Extended Deny Tcp Object-Group Denied Object-Group Web Eq Www

    Hostname(Config)# Access-List ACL_IN Extended Permit Ip Any Any

    Hostname(Config)# Access-Group ACL_IN In Interface Inside

    The Following Example Temporarily Disables An Access List That Permits Traffic From One Group Of Network Objects (A) To Another Group Of Network Objects (B):

    Hostname(Config)# Access-List 104 Permit Ip Host Object-Group A Object-Group B

    Inactive To Implement A Time-Based Access List, Use The Time-Range Command To Define Specific Times Of The Day And Week. Then Use The Access-List Extended Command To Bind The Time Range To An Access List. The Following Example Binds An Access List Named “Sales” To A Time Range Named “New_York_Minute”:

    Hostname(Config)# Access-List Sales Line 1 Extended Deny Tcp Host 209.165.200.225 Host 209.165.201.1 time-range New_York_Minute

    EXAMPLES - 2 FOR EXTENDED ACCESS LISTS


    Net-Work And Deny Access To A Host At 172.16.30.5 On The Finance Department LAN For Bothtelnet And FTP Services. All Other Services On This And All Other Hosts Are Acceptable Forthe Sales And Marketing Departments To Access.

    THE FOLLOWING ACCESS LIST SHOULD BE CREATED:


    LAB_A#

    Config T

    Lab_A(Config)#

    Access-List 110 Deny Tcp Any Host172.16.30.5 Eq 21

    Lab_A(Config)#

    Access-List 110 Deny Tcp Any Host172.16.30.5 Eq 23

    Lab_A(Config)#

    Access-List 110 Permit Ip Any Any

    The Access-List 110 Tells The Router You Are Creating An Extended IP Access List. The Tcp Is The Protocol Field In The Network Layer Header. If The List Doesn’t Say Tcp Here, You Cannotfilter By Port Numbers 21 And 23 As Shown In The Example. (These Are FTP And Telnet, And Theyboth Use TCP For Connection-Oriented Services.) The Any Command Is The Source, Which Meansany IP Address, And The Host Is The Destination IP Address.

    NOTE: Remember That Instead Of Using The Host 172.16.30.5 Command When Wecreated The Extended Access List, We Could Have Entered 172.16.30.5 0.0.0.0 And There Would Be No Difference In The Result—Other Than The Router Wouldchange The Command To Host 172.16.30.5 In The Running-Config

    ALSO KNOW HOW TO PROTECTING THE TELNET VTY LINES OF CISCO DEVICES


    There Are Usually 5 VTY Lines On Cisco Routers (VTY 0 To 4). An Attacker Can Perform A Denial Of Service Attack By Opening Several Simultaneous Telnet Or SSH Connections To The Router, Thus Occupying All Available Lines And Prohibiting The Legitimate Administrators For Managing The Device.

    To Protect From This Kind Of Attack, We Can Configure And Apply An ACL On Lines 0 To 3 Allowing The General Network Management Address Range, And Then Configure A More Restrictive ACL For The Last VTY Line 4, Which Allows Only A Specific Management Station To Connect.

    CONFIGURATION EXAMPLE:


    Allow Access From The General Network Management Range (Assume Management Network Is 10.10.10.0/24)

    Router(Config)# Access-List 110 Permit Tcp 10.10.10.0 0.0.0.255 Any Eq SSH

    Allow Access From A Single Management Station

    Router(Config)# Access-List 111 Permit Tcp Host 10.10.10.10 Any Eq SSH

    Router(Config)# Line Vty 0 3
    Router(Config-Line)# Access-Class 110 In
    Router(Config)# Line Vty 4
    Router(Config-Line)# Access-Class 111 In

    CONCLUSION:


    The Goal Of This Article Is To Give An Easy Way To Understand IP Standard And IP Extended Access Control Lists(ACL). Hopefully, This Article Can Be Used As A Basic Help!

    This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
  • No comments:

    PAN-OS Supported ciphers

    Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...