Scribd
Upload
60 views2 pages

CMCIS154 Chapt 05

Access control lists (ACLs) can be configured to permit or deny traffic based on source/destination addresses, protocols, and port numbers. Standard ACLs filter based on source address, while extended ACLs can also filter based on destination address, protocol, and port numbers. ACLs are evaluated sequentially, with an implicit deny all at the end. Named ACLs allow editing of specific lines and can be applied dynamically using time-based or reflexive ACLs.

Uploaded by

John Smith
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
60 views2 pages

CMCIS154 Chapt 05

Access control lists (ACLs) can be configured to permit or deny traffic based on source/destination addresses, protocols, and port numbers. Standard ACLs filter based on source address, while extended ACLs can also filter based on destination address, protocol, and port numbers. ACLs are evaluated sequentially, with an implicit deny all at the end. Named ACLs allow editing of specific lines and can be applied dynamically using time-based or reflexive ACLs.

Uploaded by

John Smith
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 2

CMCSI 154 Chapter 5 ACL - Sequential list of permit or deny statements for ip addresses or upper layer

protocols with an implied deny all at the end


Inbound – tested before routing tables / Outbound – after routing table and before released to interface
Port numbers: HTTP = 80 Telent = 23 SMTP = 25 FTP= 20,21 DNS = 53
One ACL per protocol, per interface, per direction. / ACL do not apply to packets generated within the router
Configuration: [1] create from global (ip access-list) [2] assign to interface ip access-group n [in|out]
Limited editing - remove (no access-list n ) and redo
I. Standard - close to destination , source address only (1-99) (1300-199)
Router(config)# access-list (1-99) {permit|deny} ip-address wildcard-mask
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 10 remark xx x xxxx x xxx
no access-list 10
II.Extended – close to source, ip source, destination, protocol, port numbers (100-199)(2000-2699)
Router(config)# access-list (100-199) [deny|permit] IP-source wildcard IP-destination wildcard protocol
Access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80
Access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Access-list 102 deny ip any any
Wildcard masks - check where zero / ignore where one
192.168.10.10 0.0.0.0 => host 192.168.10.10
0.0.0.0 255.255.255.255 => any
NAMED (standard or extended/ allows editing of specific lines – needs to begin ip)
Router(config)# ip access-list [standard | extended] NAME
…. Various permit|deny
Router(config_if)# ip access-group NAME [in|out]
Router(config)# ip access-list extended LISTNAME
Router(config-ext-acl)# remark xx x xxx xxx
Router(config-ext-acl)# deny tcp host 192.168.10.13 any eq telnet

TO edit a line of a named access list


Router(config-ext-acl)# 15 deny tcp host 192.168.10.13 any eq telnet
Complex
[a] Dynamic (lock-and-key) - user cannot pass thru router unless authenticated thru Telnet
IP traffic only – depends on Telnet, authentication,extended ACL - initially blocks until Telnet
Example:
R1(config)# username Student password 0 cisco
R1(config)# access-list 101 permit any host 10.2.2.2 eq telnet
R1(config)# access list 101 dynamic testlist timeout 15 permit
Ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

R1(config)# int s0/0


R1(config-if))# ip access-group 101 in

R1(config)# line vty 0 4


R1(config-line)# login local
R1(config-line)# autocommand access-enable host timeout 5
[b] Reflexive – allows outbound but only inbound in response to session originated in router
Better than established (only ACK/RTST bits) because work with UDP & ICMP and dynamic source port.
Not applied to interface but “nested within an extended NAMED IP ACL
Example:
R2(config)# ip access-list extended OUTBOUNDFILTERS
R2(config-ext-nacl)# permit tcp 192.168.0.0 0.0.255.255 any reflect TCPTRAFFIC
R2(config-ext-nacl)# permit icmp 192.168.0.0 0.0.255.255 any reflect ICMPTRAFFIC

R2(config)# ip access-list extended INBOUNDFILTERS


R2(config-ext-nacl)# evaluate TCPTRAFFIC
R2(config-ext-nacl)# evaluate ICMPTRAFFIC

R2(config)# int s 0/1


R2(config-if)# ip access-group INBOUNDFILTERS in
R2(config-if)# ip access-group OUTBOUNDFILTERS out
[c] Time-Based – access bassed on time of day – name time range and refer as function
R1(config)# time-range EVERYOTHERDAY
R1(config-time-range)#periodic Monday Wednesday Friday 8:00 to 17:00

R1(config)# access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq telnet time-range EVERYOTHERDAY

R1(config) int s0/0


R1(config-if) ip access-group 101 out

VTY configuration (restricting access in lieu of SSH using ACL and access-class in configuration mode
Standard and extended ACL apply to packets passing thru router – not router originated
Although usually an extended ACL (high protocol), access-class allows standard with number
Access-class n {in [vrif|also] | out
Example:
Router(config)# access-list 21 permit 192.168.10.0 0.0.0.255
Router(config)# line vty 0 4
Router(config-line)# login
Router(config-line)# password secret
Router(config-line)# access-class 21 in

Examples:
Access list 110 permit tcp 192.168.20.0 0.0.0.255 any eq 23
Access list 110 permit tcp 192.168.20.0 0.0.0.255 any eq telnet

Access list 110 permit tcp 192.168.20.0 0.0.0.255 any eq 21


Access list 110 permit tcp 192.168.20.0 0.0.0.255 any eq ftp

Access list 110 permit tcp 192.168.20.0 0.0.0.255 any eq 22


Access list 110 permit tcp 192.168.20.0 0.0.0.255 any eq ftp-data

Access list 120 permit tcp any 192.168.10.0 0.0.0.255 established


Allows traffic returning from an initial response from insi

Errors:
Show access-lists

10 deny tcp 192.168.10.0 0.0.0.255 any


20 permit tcp 192.168.10.0 0.0..255.255 any eq telnet
30 permit ip any
Line 10 denies all tcp Line 20 never evaluates

10 deny tcp 192.168.10.0 0.0.0.255 any eq telnet


->20 deny tcp 192.168.10.0 0.0..255.255 host 10.100.100.1 eq smtp
30 permit tcp any any
No TFTP allowed because TFTP use UDP (implicitly denied)
30 should be permit ip any any

10 deny tcp any eq telnet any


->20 deny tcp 192.168.10.0 0.0.0.255 host 192.168.30.0 eq smtp
30 permit ip any any
Trying to deny telnet at destination
Line 10 eq telnet is positional
Should be deny tcp any any eq telnet

10 deny tcp host 192.168.10.1 0.0.0.255 any eq telnet


20 deny tcp 192.168.1.0 0.0..255.255 host 10.100.100.1 eq smtp
30 permit ip any any
192.168.101.10 should not telnet
No deny rules – line 30 lets all through
?? see 5.4.5 ?? in/out

You might also like