730 likes | 1.78k Views
ACL(Access Control Lists). Standard , Extended and Named ACL. Objectives. In this lesson, you will learn: Purpose of ACLs Its application to an enterprise network How ACLs are used to control access Types of Cisco ACLs. Standard ACL Extended ACL Named ACL. ACL (Access Control Lists).
E N D
ACL(Access Control Lists) Standard , Extended and Named ACL
Objectives • In this lesson, you will learn: • Purpose of ACLs • Its application to an enterprise network • How ACLs are used to control access • Types of Cisco ACLs. • Standard ACL • Extended ACL • Named ACL
ACL (Access Control Lists) • An ACL is a router configuration script that controls whether a router permits or denies packets • By default, a router does not have any ACLs configured and therefore does not filter traffic.
Types of ACL • These are examples of IP ACLs that can be configured in Cisco IOS Software: • Standard ACLs • Extended ACLs • IP-named ACLs • And Others
Guidelines for using ACLs • Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. • Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. • Configure ACLs on border routers, the routers situated at the edges of your networks to act as a buffer from the outside network
ACL Operation - Inbound ACLs ACL statements operate in sequential order. If a packet header and an ACL statement match, the rest of the statements in the list are skipped If a packet header does not match an statement, the packet is tested against the next statement in the list. A final implied (IMPLICIT DENY) statement covers all packets for which conditions did not test true.
Placement of Standard ACL # access-list 99 deny 192.168.10.0 0.0.0.255 # access-list 99 permit any
Extended ACL • Extended ACLs • Extended ACLs filter IP packets based on several attributes, • protocol type, • source and IP address, destination IP address, • source TCP or UDP ports, destination TCP or UDP ports • In the figure, ACL 102 deny FTP and Telnet traffic originating from any address on the 192.168.10.0/24 from leaving the network
Placement of ACLs - Extended. Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq telnet Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq ftp Access-list 102 permit any Apply access list ‘inbound’ to Fa 0/1 interface of R1
Example NetworkControlling inbound access • Deny all traffic from private IP address • Allow all IP sessions already established with the ack bit turned. • deny anyone from entering your network from the outside with an internal address (spoofing your network) and log each packet occurrence. • deny the infamous Donald Dick and Prosiak ports. • deny the Deepthroat and Sockets des Troie ports. • deny any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery. • permits packets that were not previously rejected to enter your network.
Example:Inbound access control list • access-list 100 deny ip 10.0.0.0 0.255.255.255 any log • access-list 100 deny ip 172.16.0.0 0.15.255.255 any log • access-list 100 deny ip 192.168.0.0 0.0.255.255 any log • access-list 100 deny ip any host 127.0.0.1 log • access-list 100 permit ip any [your network IP address] [your network mask] est • access-list 100 deny ip [your network IP address] [your network mask] any log • access-list 100 deny tcp any any eq 22222 log • access-list 100 deny tcp any any range 60000 60020 log • access-list 100 deny udp any any eq snmp log • access-list 100 permit ip any any
Explaining commands • Entry 5—“permit ip any [your network IP address] [your network mask] est”—automatically allows all IP sessions already established with the ack bit turned. The purpose of this entry is to ensure that if your firewall allows a connection request to leave your network, the router doesn’t stop its return. • Entry 6—“deny ip [your network IP address] [your network mask] any log”—denies anyone from entering your network from the outside with an internal address (spoofing your network) and logs each packet occurrence. This is very important for good security. • Entry 7—“deny tcp any anyeq 22222 log”—denies the infamous Donald Dick and Prosiak ports. • Entry 8—“deny tcp any any range 60000 60020 log”—denies the Deepthroat and Sockets des Troie ports. • Entry 9—“deny udp any anyeqsnmp log”—denies any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery. • Entry 10—“permit ip any any”—permits packets that were not previously rejected to enter your network.