Standard ACLs
Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL.
access-list access-list-number {permit|deny} {host|source source-wildcard|any}access-list-number can be anything from 1 to 99
After the ACL is defined, it must be applied to the interface (inbound or outbound).
interfaceExtended ACLs
ip access-group number {in|out}
Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.
IP
ICMP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log|log-input] [time-range time-range-name]
TCP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} icmp source source-wildcard
destination destination-wildcard
[icmp-type [icmp-code] |icmp-message]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
UDP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[established] [precedence precedence] [tos tos]
[log|log-input] [time-range time-range-name]
access-list-number can be 100 to 199
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} udp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
Named ACLs
IP named ACLs allows standard and extended ACLs to be given names instead of numbers.
ip access-list {extended|standard} name
2.Reflexive ACL
Reflexive access lists contain only temporary entries; these entries are automatically created when a new IP session begins (for example, the reflexive ACL is triggered by an outbound packet), and the entries are removed when the session ends. Reflexive access lists are not themselves applied directly to an interface, but are "nested" within an extended named IP access list that is applied to the interface.
Restrictions on Using Reflexive Access Lists
Reflexive access lists do not work with some applications that use port numbers that change during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session.
The TCP application of FTP is an example of an application with changing port numbers. With reflexive access lists, if you start an FTP request from within your network, the request will not complete. Instead, you must use Passive FTP when originating requests from within your network.
ip access-list extended nameA3.Dynamic ACL
permit protocol any any reflect nameB [timeoutseconds]
ip access-list extended nameC
evaluate nameB
interface
ip access-group nameA out
ip access-group nameC in
Dynamic ACL is dependent on Telnet, authentication (local or remote), and extended ACLs.
Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users that want to traverse the router are blocked by the extended ACL until they Telnet to the router and are authenticated. The Telnet connection then drops and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular time period; idle and absolute timeouts are possible.
access-list access-list-number dynamic name {permit|deny} [protocol]4. Scenario
{source source-wildcard|any} {destination destination-wildcard|any}
[precedence precedence][tos tos][established] [log|log-input]
[operator destination-port|destination port]
A. Basic ACL
Requirements inside to outside
-permit outside DNS
-permit www access
-permit https access
-permit FTP access (active mode)
-permit ping and traceroute
Requirements outside to inside
-permit www access to server 10.1.1.2
-protect for fragmented packets
Note: FTP is a TCP based service exclusively. A typical FTP session operates using two channels: a command (or control - port 21) channel and a data channel.The port used for the data channel can differ depending on which data transfer mode is used. For Active mode the data channel port is 20. For Passive mode the data channel port is a random port >1023. In Active mode an user connects from a random port on a file transfer client to port 21 on the server. It sends the PORT command, specifying what client-side port the server should connect to. This port will be used later on for the data channel and is different from the port used in this step for the command channel.In Pasive mode client still initiates a command channel connection to the server.In this case instead of sending the PORT command, it sends the PASV command, which is a request for a server port to connect to for data transmission. When the FTP server replies, it indicates what port number it has opened for the ensuing data transfer.
ip access-list extended TRAFFIC-IN
deny ip any any fragments
permit tcp any any established
permit udp any eq domain any
permit udp any eq ntp any
permit tcp any eq ftp-data any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any port-unreachable
permit tcp any host 10.1.1.2 eq www
deny ip any any log
ip access-list extended TRAFFIC-OUT
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit udp any eq ntp any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit icmp any any echo
permit udp any any range 33434 33464
permit tcp host 10.1.1.2 eq www any
deny ip any any log
interface FastEthernet2/0
ip address 172.20.1.2 255.255.255.0
ip access-group TRAFFIC-IN in
ip access-group TRAFFIC-OUT out
Verification
R1#show ip access-lists
Extended IP access list TRAFFIC-IN
5 deny ip any any fragments
10 permit tcp any any established (5859 matches)
20 permit udp any eq domain any (213 matches)
50 permit tcp any eq ftp-data any (1 match)
60 permit icmp any any echo-reply (17 matches)
70 permit icmp any any time-exceeded (325 matches)
80 permit icmp any any port-unreachable (43 matches)
90 permit tcp any host 10.1.1.2 eq www (1 match)
9999 deny ip any any log (53 matches)
Extended IP access list TRAFFIC-OUT
10 permit udp any any eq domain (213 matches)
20 permit tcp any any eq www (3228 matches)
30 permit tcp any any eq 443 (1032 matches)
50 permit tcp any any eq ftp (43 matches)
60 permit tcp any any eq ftp-data (3 matches)
70 permit icmp any any echo (17 matches)
80 permit udp any any range 33434 33464
90 permit tcp host 10.1.1.2 eq www any (6 matches)
9999 deny ip any any log (56 matches)
Requirements
-permit all traffic (TCP,UDP,ICMP) from inside to outside
Note: for this task remove all previous configured ACL
ip access-list extended TRAFFIC-OUT
permit tcp any any reflect MIRROR
permit udp any any reflect MIRROR
permit icmp any any reflect MIRROR
deny ip any any log
ip access-list extended TRAFFIC-IN
evaluate MIRROR
deny ip any any log
interface FastEthernet2/0
ip address 172.20.1.2 255.255.255.0
ip access-group TRAFFIC-IN in
ip access-group TRAFFIC-OUT out
R1#show ip access-listsC. Dynamic ACL
Reflexive IP access list MIRROR
permit tcp host 173.194.34.79 eq 443 host 10.1.1.2 eq 36798 (45 matches) (time left 269)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 56413 (2 matches) (time left 179)
permit tcp host 173.194.41.79 eq 443 host 10.1.1.2 eq 32899 (24 matches) (time left 268)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 50338 (2 matches) (time left 178)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 34574 (2 matches) (time left 178)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 42713 (2 matches) (time left 178)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 38732 (2 matches) (time left 178)
permit tcp host 173.194.39.184 eq 443 host 10.1.1.2 eq 45214 (336 matches) (time left 269)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 58391 (2 matches) (time left 176)
permit tcp host 173.194.39.145 eq 443 host 10.1.1.2 eq 33936 (24 matches) (time left 266)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 41884 (2 matches) (time left 176)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 48723 (2 matches) (time left 171)
permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 35283 (2 matches) (time left 171)
permit icmp host 8.8.8.8 host 10.1.1.2 (1037 matches) (time left 299)
Extended IP access list TRAFFIC-IN
10 evaluate MIRROR
9999 deny ip any any log (29 matches)
Extended IP access list TRAFFIC-OUT
10 permit tcp any any reflect MIRROR (215 matches)
20 permit udp any any reflect MIRROR (38 matches)
30 permit icmp any any reflect MIRROR (545 matches)
40 deny ip any any log
Requirements
-permit ping traffic from outside (authenticated IP) to the inside
aaa new-model
aaa authentication login CONSOLE none
aaa authorization exec default local
username CISCO autocommand access-enable host timeout 10
username CISCO password 0 test_ping
ip access-list extended TRAFFIC-IN
evaluate MIRROR
permit tcp any host 172.20.1.2 eq telnet
dynamic PING_ACCESS permit icmp any any
deny ip any any log
Verification:
Extended IP access list TRAFFIC-IN
10 evaluate MIRROR
15 permit tcp any host 172.20.1.2 eq telnet (342 matches)
20 Dynamic PING_ACCESS permit icmp any any
permit icmp host 192.168.223.129 any (4 matches) (time left 595)
permit icmp host 172.20.1.1 any (5 matches) (time left 315)
9999 deny ip any any log (57 matches)
No comments:
Post a Comment