670 likes | 767 Views
Access Control. Routers as Filters. 172.16.3.0. 172.16.4.0. e0. e1. s0. server. Non-172.16.0.0. 172.16.4.13. Access Control. Routers as Filters. 172.16.2.0. 172.16.4.0. Computer. e0. e1. 172.16.2.2. Computer. s0. 172.16.3.1. 172.16.4.3. 172.16.3.0. Server. s1. 172.16.3.2.
E N D
Access Control Routers as Filters 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13
Access Control Routers as Filters 172.16.2.0 172.16.4.0 Computer e0 e1 172.16.2.2 Computer s0 172.16.3.1 172.16.4.3 172.16.3.0 Server s1 172.16.3.2 172.16.4.2
A HIGH LEVEL VIEW of ACLs High Level View
Standard: Interface Fa 0/0/0 ip access-group 1 out access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit any ________________________________________________________________ Extended: Interface Fa 0/0/0 ip access-group 101 in access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq www access-list 101 permit ip any any High Level View
Standard Access Control Lists STANDARD ACLs • ACLs are instructions that are applied to a routerinterfaces. • The ACLs describe the kind of packets that are to be permitted or denied. • Permitted or Denial testing can be based on: • source address • destination address • port number • ACLs are configured on the router Interfaces to control access to a network. • ACLs must be defined separately for each protocol; Unique for IP, Uniquefor IPX; Uniquefor AppleTalk, etc. • Some times ACLs are called packetfilters.
Standard ACLs should be placed close to the destination. Extended ACLs should be placed close to the source. Placing ACLs
Firewalls A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders.
ACL - Access Control Lists • Reasons to create ACLs: • limit network traffic - hence increase network performance • provide traffic flow - limit traffic through the network • provide for security • ACLs establish • which traffic is blocked • which traffic is not blocked
A MORE DETAILED VIEW of ACLs DETAIL
ACL - Access Control Lists • Cisco IOS checks each packet for: • destination address • source address • protocol • port number • Each ACL statement is checked in a sequential order (first to last) and when there is a match, no more statements are checked. • If the results are no matches, then the packet (by default) is discarded. • Adding addition ACL statements to the end of an existing list is just a matter of adding the new statement. BUT, if • deleting an existing ACL statement causes the entire access list to be deleted. access-list 1 deny 192.169.1.0 0.0.255.255 access-list 1 deny 192.168.1.9 0.0.0.0 access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any
ACL - Access Control Lists • When a packet enters a router’s interface: • “IN” (inbound) checking is required. The packet: • Is checked against the ACL list (if one exists) • Here It can be interrogated to permit or deny. • If denied the packet is dropped else, • It is matched against the routing table and passed to an “OUT” (outbound interface) • “OUT” (outbound) checking is required. • 1) Here It can be interrogated to permit or deny. • 2) If denied the packet is dropped • 3) If permitted then packet is allowed “OUT” (outbound). • The Outbound interface’s ACL is a different list from the inbound)
ACL - Access Control Lists ACL statements operate in a logical, sequential order.When a match is made the rest of the statements are not checked. If none the ACL statements match, then there is an implicit deny any rule. access-list 10 { permit | deny } { test conditions } access-list 10 { permit | deny } { test conditions } access-list 10 { permit | deny } { test conditions } access-list 10 { permit | deny } { test conditions } access-list 1 deny 192.169.1.0 0.0.255.255 access-list 1 deny 192.168.1.9 0.0.0.0 access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any access-list 10 deny any
ACL - Access Control Lists • Two types of IP ACL : • standard - has access list value of 1- 99 • extended - has access list value of 100 - 199 • Must be configured in global configuration mode. Router (config) # • Steps in creating ACLs: • 1) create the ACL (in config mode) • 2) apply the ACL to an interface • ACLs are used to filter: • inbound traffic, or • outbound traffic
Where to place ACLs Standard ACLs are place as close as possible to the destination. Extended ACLs are place as close as possible to the source.
Where to place ACLs • Configuring an Access List: • Router(config)# access-list <ACL number> { permit | deny } { test conditions } • Router(config)# access-list 1 permit { test conditions } • Router(config)# access-list 50 deny { test conditions } • To delete all ACL statements of an access-list • Router(config)# no access-list <ACL number> • Applying the Access List: • At an interface: • Router(config)# int E0 • Router(config-if)# { protocol } access-group <ACL number> [IN | OUT] • Out is the default if not mentioned • Router(config-if)# ip access-group 1 • Router(config-if)# ip access-group 50 • To delete an ACL group statement (this will not delete the associated list): • Router(config)# no access-group <ACL number>
Wildcard A wildcard is matched with an IP address or protocol address. It is a 32 bit mask divided into 4 octet, each containing 8 bits. A 0 in the wildcard means to check the bit in the IP you are testing. A 1 in the wildcard means ignore the bit in the IP you are testing. NOTE!!! Do NOT think subnet mask – that is a totally different meaning not related to the WILDCARD
Abbreviations • To permit or deny any address: • 0.0.0.0 255.255.255.255 • Address Wildcard • Use the abbreviation any • Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 Router(config)# access-list 1 permit any Router(config)# access-list 1 deny 0.0.0.0 255.255.255.255 Router(config)# access-list 1 deny any
Abbreviations • To match all the bits of IP address use host: • EX: 172. 30.16. 29 0. 0. 0. 0 • Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0 • Router(config)# access-list 1 permit host 172.30.16.29
Standard ACLs • Criteria: • block all traffic from a network • allow all traffic from a network • deny entire protocol suits • Standard ACLs only check the source address. • Router(config)# access-list <ACL number> { deny | permit }source [ source wildcard] [log]
Standard ACLs What does this statement accomplish? Access-list 33 permit 172.16.0.0 0.0.255.255 log Permits all traffic from 172.16.0.0 and sends messages to the console every time the access list is executed.
Standard ACLs What does this statement accomplish? Access-list 44 deny 172.16.13.7 0.0.0.0 log Denies traffic from host 172.16.13.7 and sends message to the console every time the access list is hit.
Standard ACLs What does this statement accomplish? Access-list 55 deny 172.16.64.30.0.0.255 Denies all traffic from network 172.16.64.0
Standard ACLs • The log command: • Prints messages to the console which includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets. • The message is generated for the first packet that matches, and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval. • Log is used for debugging only not to be left active on live networks.
Standard ACLs • Example of applying the access-list: • Router(config-if)# ip access-group 33 in • Router(config-if)# ip access-group 44 out
Standard ACLs • To monitor IP access list: (in EXEC mode) • show access-list • Displays all access lists & their parameters configured on the router. (Does not show you which interface the list is set on.) • show access-list <ACL number> • Shows only the parameters for the access list <ACL number>. (Does not show you the interface the list is set on.) • show ip access-list • Shows only the IP access lists configured on the router • show ip interface • Shows which interfaces have access lists set (containing an access-group). • show running-config • Shows the routers entire configuration
Standard ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 R(config)# Interface e0 R(config-if)# ip access-group 1 out R(config)# Interface e1 R(config-if)# ip access-group 1 out R(config)# access-list 1 permit 172.16.0.0 0.0.255.255 What does it do?
Standard ACLs One Access list used by multiple Interfaces 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 R(config)# Interface e0 R(config-if)# ip access-group 1 out R(config)# Interface e1 R(config-if)# ip access-group 1 out R(config)# access-list 1 permit 172.16.0.0 0.0.255.255 Allows only traffic from source network 172.16.0.0 to be forwarded & and non-172.16.0.0 traffic is blocked.
Standard ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 R(config)# Interface e0 R(config-if)# ip access-group 1 out R(config)# access-list 1 deny 172.16.4.13 0.0.0.0 R(config)# access-list 1 permit any What does this do?
Standard ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 R(config)# Interface e0 R(config-if)# ip access-group 1 out R(config)# access-list 1 deny 172.16.4.13 0.0.0.0 R(config)# access-list 1 permit any Denies traffic from a specific device, 172.16.4.13 & allows all other traffic thru e0 to network 172.16.3.0.
Standard ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 Interface e0 ip access-group 1 out access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any What does this do?
Standard ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 Interface e0 ip access-group 1 out access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru e0 to network 172.16.3.0.
Extended ACLs EXTENDED ACLs • Criteria: • checks both the packet’s source & destinationaddresses • check for specific protocol • check for specific port numbers • permit or denied applications – pings, telnets, FTP, etc. • ACL values range between 100 – 199 (for IP)
Extended ACLs • Port Numbers (decimal) IP Protocol • 20 FTP data [TCP] • 21 FTP program (control) [TCP] • 23 Telnet [TCP] • 25 Simple Mail Transport Protocol [TCP] (SMTP) • 53 DNS [TCP, UDP] • 69 TFTP [UDP] • 80 HTTP [TCP]
Extended ACLs • Router(config)# access-list <ACL number> { permit | deny }protocolsourcesource-mask • destinationdestination-maskoperatoroperand {established} • ACL number • 100 – 199 • permit | deny • Packet is allowed or blocked • protocol • IP, TCP, UDP, ICMP, GRE or IGRP • source -- Source address source-wildcard mask • destination -- Destination address destination-wildcard mask Continued
Extended ACLs • Router(config)# access-list <ACL number> { permit | deny } protocol sourcesource-mask • destinationdestination-maskoperatoroperand {established} • operator • lt, gt, eq, neq • Operand • Port number • established • Allows TCP traffic to pass if the packet uses an established connection ( for example, has ACK bits set ). • access-list 101permittcp 172.16.4.00.0.0.255anyeq25
Extended ACLs Configuring an extended ACL to an interface: Router(config-if)# ip access-group <ACL number> { in | out } Router(config)# int E0 Router(config-if)# ip access-group 101 in
Extended ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 Interface e0 ip access-group 101 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 permit ip any any What does this do?
Extended ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 Interface e0 ip access-group 101 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 permit ip any any BlocksFTP traffic from all hosts on 172.16.4.0 to any device on 172.16.3.0 & allows all other traffic.
Extended ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 Interface e0 ip access-group 101 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23 access-list 101 permit ip any any What does this do?
Extended ACLs 172.16.3.0 172.16.4.0 e0 e1 s0 server Non-172.16.0.0 172.16.4.13 Interface e0 ip access-group 101 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23 access-list 101 permit ip any any Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network, and permits all other traffic thru e0 to any address.
Extended/Standard ACL numbers for IP • NOTE: • Standard ACL numbers: 1-99; 1300-1999 • Extended ACL numbers: 100-199; 2000-2699
Standard/Extended ACL You can not add ACL statements into the body of the access-list (ONLY at the end of the list). Otherwise the access list must be deleted first, and then rewritten. Therefore it is prudent to write your access-list in text format using “notepad”, and then transfer it to your router.
Configuring Named ACLs • NOTE: • A NAMED ACL is an alphanumeric string instead of the ACL number (1 - 199 ) • NAMED ACLs are not compatible with Cisco IOS release prior to Release 11.2 • Named ACLs can be used for either standard & extended • You cannot configure the same name for multiple ACLs. • use Name ACL when you want to intuitively identify ACLs • use Name ACL when you have more than 99 standard & 100 extended ACLs have been configured on a router for a given protocol
Configuring Named ACLs Router(config)# ip access-list { standard | extended } name { deny | permit } { commands } ip access-list standard internetfilter deny 172.10.15.0 0.0.0.255 permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.0.255.255 ip access-list extended marketing-group permit tcp any 171.69.0.0 0.255.255.255 eq telnet deny udp any 171.69.0.0 0.255.255.255 lt 1024