Ex4 Chapter 5 - ACLs

- ACL Detailed info http://sclabs.blogspot.com/2012/09/ccna-security-chapter-4-implementing.html
- ACLs on Cisco.com
- Configuring Commonly Used IP ACLs @ cisco.com

ACL – Access Control List
ACLs are a Layer 3 / 4 defense mechanism.  ACLs are applied on routers and other Layer 3 devices.

inbound ['ɪnbaund] - going inward, incoming (прибывающий)
outbound ['autbaund] - outward bound; headed away (отправляемый)
By default, a router does not have any ACLs configured and therefore does not filter traffic.
At the end of every access list is an implied "deny all" traffic criteria statement.
Therefore, if a packet does not match any of the ACL entries, it is automatically blocked.
The implied "deny all traffic" is the default behavior of ACLs and cannot be changed.

ACLs are applied:
1.  Per interface - ACLs control traffic for an interface, for example, Fast Ethernet 0/0
2.  Per direction - Two separate ACLs must be created to control inbound and outbound traffic.
3.  Per routed protocol - an ACL must be defined for each protocol enabled on the interface

Two general types of ACLs:
1.  Standard (San Diego) [1-99, 1300, 1999]- allow you to permit or deny traffic ONLY from source IP addresses (no destination or port based filtering)
2.  Extended (España) [100-199, 2000-2699] - allow you to filter traffic based on protocol, source, destination, and port.

Two implementation methods:
1.  Numbered (cannot delete without deleting all ACLs)
2.  Named (can delete individual ACLs)

Note: When writing ACLs they are written top down, therefore adding ACLs later result in new ACLs being applied to the bottom of the list.

Applying ACLs based on type:
1.  Standard ACLs should be applied as close to the destination as possible (San Diego)
2.  Extended ACLs should be applied as close to the source as possible (España)

ACL Identification
1-99  Standart IP (source only)
100-199  Extended IP (source, destination, port, protocol)
1300-1999  Standart IP (source only) expanded range
2000-26999 Extended IP (source, destination, port, protocol) expanded range
600-999 Appletalk, Ethernet address, IPX
ACL Configuration
access-list [access-list-number] [deny|permit|remark] [source-ip-address] [wildcard mask (optional)] [log (optional)]

ex: R1(config)#access-list 10 permit
The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters.
The log keyword - (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at:
 - Wildcard mask bit 0 - Match (permit) the corresponding bit value in the address
 - Wildcard mask bit 1 - Ignore the corresponding bit value in the address

ex: wildcard mask (host) - match any
R1(config)#access-list 1 permit
R1(config)#access-list 1 permit host

     wildcard mask (any) - every bit in the IP  must match exactly
R1(config)#access-list 1 permit
R1(config)#access-list 1 permit any

Calculating wildcard masks can be difficult, but you can do it easily by subtracting the subnet mask from

wildcard mask :
The last 3 bits of a given IP address will be ignored.

The first 29 bits of a given IP address will be checked.

access-list [access-list-number] [deny|permit] [protocol: ip, tcp, udp, icmp,…] [source-ip-address] [wildcard mask] [destination-ip-address] [wildcard mask] [eq, neq, gt, lt (optional)] [port] [established - tcp only]
After you have created the actual access list you need to apply it to an interface by direction.
Establised - It will permit any TCP traffic that originated from network to return inbound on the S0/0/0 interface (Internet).


 int s0/0 
ip access-group Students out
[pro] access-group [name/num of ACL] [in|out]
Apply ACL:
- on interface : ip access-group [ACL number|name] [in|out]
- on vty: access-class [ACL number|name] [in|out]

Special Words and Situations
•  any =
•  host = [host IP address]
•  implicit deny any or deny any any on the end of all ACLs
•  access-list [access-list-number] remark [remark]
•  ip access-list [standard | extended] [name of ACL]
•  logical port comparisons can be {eq, neq, gt, lt}

Optional L4 Source/Destination port [eq|lt|gt|neq] number where:

eq is equal to the port number.

lt is less than the port number.

gt is greater the port number.

neq is not equal to the port number.

number is the destination port number.
Enter a number from 1 to 65535.

ICMP recomendations
Allow ICMP types on Inbound
Type 0 — Echo Reply - Allows users to ping external hosts.
Type 3 Unreachable (have multiple codes) - Unreachable messages are generated for packets that are administratively denied by an ACL.
Type 4 — Source Quench (Deprecated) - Requests the sender to decrease the traffic rate of messages.
Allow ICMP types on Out
Type 8 — Echo (Echo request) - Allows users to ping external hosts.
Type 12 — Parameter problem - Informs the host of packet header problems.
Type 3 (destination unreachable), code 4 (fragmentation needed but don't-fragment bit set) Packet too big - Required for packet maximum transmission unit (MTU) discovery.
Type 4 — Source quench - Throttles down traffic when necessary.
As a rule, block all other ICMP message types outbound.

Named ACL:
R1(config)# ip acces-list [standard|extended] name
Dynamic ACLs
Dynamic ACLs have the following security benefits over standard and static extended ACLs:
•  Use of a challenge mechanism to authenticate individual users.
•  Simplified management in large internetworks.
•  In many cases, reduction of the amount of router processing that is required for ACLs.
•  Reduction of the opportunity for network break-ins by network hackers.
•  Creation of dynamic user access through a firewall, without compromising other configured security restrictions.

Reflexive ACLs
Permit session start only from inside (blocking from outside)

•  Can only be used in named IP ACLs.
•  Better than using the established command
•  Work with UDP and ICMP also (established does not)

Config: any reflect TCPTRAFFIC

Time Based ACLs
Time based ACLs are out of the scope of this course but they do exist.  You can specify the time of day a specific network has access to resources.

show access-list vs show ip access-list
Can anyone tell me if there is a difference between show access-lists vs show ip access-lists? I tried running both commands in PacketTracer and they gave both the same results.
 - There may be more than just IPv4 access-lists on the router.   If so, the command show access-lists would show them all, including IPX or other types that may exist.

On that same router, the command show ip access-lists would only show the IP access-lists, and not the IPX or other types.
 - To see the IPv6 ACLs, we would use "show ipv6 access-list"

R1#show access-list
MPLS access list 2700
    10 permit any 399  any any
IPX sap access list 1000
    permit FFFFFFFF 0
Extended IP access list 100
    10 permit ip
IPv6 access list MY-IPV6-List
    permit ipv6 2001:12::/64 any sequence 10

R1#show ip access-list
Extended IP access list 100
    10 permit ip

R1#show ipv6 access-list
IPv6 access list MY-IPV6-List
    permit ipv6 2001:12::/64 any sequence 10

R1#show ipx access-list
IPX sap access list 1000
    permit FFFFFFFF 0

No comments :

Post a Comment