Access Control Lists

Accessing the WAN Chapter 5

Version 4.0

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Access Control Lists Defined

For Cisco, an Access Control List is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols They are similar to if-then statements in programming - e.g. If a packet with this IP address, 192.168.10.2 comes into this interface, serial 0/0/0 then deny the packet They are used to filter packets coming into a router in order to provide security

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Packet Filtering
Packet filtering exists at Layer 3 It is the process in which the router examines the IP header of each packet to see if the IP address matches an ACL configured on the router If there is a match, then there will be an approve or deny depending on how the ACL is configured
2006 Cisco Systems, Inc. All rights reserved. Cisco Public

Types Of Filtering
ACLs can be configured to use any of the following for packet filtering: Source IP address Destination IP address ICMP message type The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: TCP/UDP source port TCP/UDP destination port

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

The Three Ps of ACLs

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Inbound vs Outbound ACLs

There are two types of ACLs: Inbound ACLs Incoming packets are processed before theyre routed to the outbound interface Outbound ACLs Incoming packets are routed to the outbound interface and then theyre processed Also, ACLs are processed one at a time, in order As soon as there is a match, the ACL is acted upon At the end of every ACL list, there is an implicit deny If the packet doesnt match any of the criteria, then it will automatically be discarded, unless you state otherwise

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Standard ACLs
Standard ACLs filter packets based on source IP addresses only Standard ACLs can be numbered from 1 99 and 1300 1999 They can be either a permit or deny Below is an example of a standard ACL - Notice the use of wildcard masks with ACLs

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Extended ACLs
Extended ACLs can be used to filter packets based on source and destination IP addresses, ports, and protocol type Extended ACLs can be numbered 100 199 and 2000 - 2699 Below you see that we have to identify tcp or udp - also, we include the any eq 80 which means that any packet that is being used for http can pass through the router

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Questions!!!
What three parameters can ACLs use to filter traffic? How do standard ACLs filter traffic? What happens if a packet does not match any of the defined ACL statements? What are the three Ps of ACLs?

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

ACL Placement
Placement is important so that our filters are used as efficiently as possible Standard ACLs are placed closest to the destination If we want to stop Accounting from accessing the Human Resources server, wed place the Standard ACL on port E0 of the Lab_B router

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

ACL Placement Example

Where would we place the standard ACL if we wanted to deny all of the connected hosts from accessing the Internet? How would we configure it?

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

ACL Placement Solution

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

Extended ACL Placement

Extended ACLs are placed closest to the source preventing any bandwidth from being wasted If we wanted to deny access from a host computer 172.16.30.5 in Finance from using Telnet or FTP, wed create the following ACL and place it on port E1

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

ACL Best Practices

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

Removing ACLs
Use the show access-list command to view your access lists Use the no access-list command to remove access-lists

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

Document Your ACLs

Documenting your ACLs helps you to easily see what they were put in place to do

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

The Any and Host Keywords

The any statement is the same thing as typing in 0.0.0.0 255.255.255.255 which means all IP addresses match The host statement is the same as typing in a subnet mask of 0.0.0.0 which would mean that the IP address has to match

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Named ACLs
Named ACLs can be used for either standard or extended ACLs They are useful in keeping track of what an ACL does for you

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

Named Access Lists

Example 1 shows using remark to define what the access-list is used for so that you dont have to remember Example 2 shows using the ip access-list extended TELNETTING command to create a Named Access List as well as providing a remark

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Named Access List Example

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

Editing ACLs - Named Access-List

With Named Access Lists, you have the ability to add additional ACLs after you have created your original ACL In the example below, we are inserting an additional permit statement for a host that we had left out when we created the original ACL group

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Editing ACLs
ACLs are reviewed sequentially You can not insert ACLs from the command line, if you type in the ACL with the same number, the information will be added on to the end of the ACL To edit ACLs, you will copy and paste into a text editor like Notepad, add your new information, and then copy and paste back to command line to apply

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

Questions!!!
Where should a standard access list be placed? Where should an extended access list be placed? Why would we use a Named ACL? What is an advantage that a Named ACL has over a Standard or Extended ACL?

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

Dynamic (Lock-and-Key) ACLs

Dynamic ACLs are also known as lock-and-key ACLs - You apply an Extended ACL to block traffic through the router - Users can only get access through the router if they Telnet into the router and are authenticated to access the network - The Dynamic ACL is used in conjunction with an Authentication, Authorization, and Accounting (AAA) server or a TACACS+ server - It is useful if you need to allow a user through your firewall from the Internet

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

Configuring Dynamic (Lock-and-Key) ACLs

1. Set a login name and password 2. Configure the Dynamic Access List. This allows the user to Telnet to the router. The window will be opened for 15 minutes. 3. Place the Access List 4. Once authenticated with telnet, telnet closes and the user will be able to access the network. 5 minutes of inactivity will cause the window to close.

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Reflexive ACLs
Used to allow IP traffic for sessions originated from within the trusted network to an untrusted network Denies IP traffic that originates from outside of the trusted network Can only be created as a Named ACL

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

Configuring Reflexive ACLs

1. Create the Named ACL using the reflect command to allow for the router to track any traffic generated from inside the network 2. Evaluate causes all incoming traffic to be reviewed to see if it was generated from inside the trusted network 3. Applies both an inbound and an outbound ACL to the interface

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Time-Based ACLs
Time-Based ACLs allow you to control when your network can be accessed

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

Configuring Time-Based ACLs

1. Define the time range and provide a name for the ACL 2. Apply the time range to the ACL 3. Apply the ACL to the interface

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Questions!!!
What is another name for a Dynamic ACL? What is it used for? What is the purpose of a Reflexive ACL? What is the purpose of a Time-Range ACL?

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

Troubleshooting ACL Errors

Why cant host 192.168.10.10 telnet to 192.168.30.12 Host 192.168.10.10 cant connect because the ACL was configured out of sequence (20 should be first)

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

Troubleshooting ACL Errors

192.168.10.0/24 network cant use TFTP because TFTP uses UDP not TCP Since the permit statement is permit tcp any any there is an implicit deny for all UDP traffic

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

32

Troubleshooting ACL Errors

192.168.10.0 /24 network can telnet to connect to the 192.168.30.0 /24 network, but should not be able to do so The ACL statement in line 10 was written incorrectly Should have been access-list 10 deny tcp any any eq telnet

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

33

Troubleshooting ACL Errors

Host 192.168.10.10 can use Telnet to connect to 192.168.30.12, but isnt supposed to be able to connect The Telnet deny statement doesnt apply to 192.168.10.10

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

Troubleshooting ACL Errors

Host 192.168.30.12 can use Telnet to connect to 192.168.10.10, but isnt supposed to be able to connect The Telnet deny statement has been placed in the wrong direction

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

36