Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

Planning & Designing Objective 5 Develop an access list to meet user specifications Implementation & Operation Objective 16 Implement access lists Troubleshooting Objective 23 Troubleshoot an access list Technology Objective 31

Evaluate rules for packet control

Access-Lists can be used to control access both to and from network segments, can filter unwanted packets (e.g. routing updates, hackers, etc), and can be used to implement security policies. Specifically Access Control Lists (ACLs) are used to: Identify interesting traffic for DDR (dial-on-demand routing) Facilitate IP route filtering Provide high network availability An IP access-list is a filter that packets are compared with, categorized by, and then acted upon. Once the lists are created, they can be applied to either inbound or outbound traffic, on any interface. Once a list is applied, the router will analyze every packet crossing the interface in the specified direction and takes action accordingly. Processing rules Packets are always compared with each line of the ACL in sequential order (which incidentally is the order in which the statements were entered). a packet is compared with the lines of the ACL only until a match is made. Once a packet matches a line of the ACL, it is acted upon (PERMITted or DENYed), and then no further comparisons are made. If no match is found in the ACL, the packet is dropped (IMPLICIT DENY). This means if you don't explicitly allow the packet, then it will be discarded. There are two types of ACLs: Numbered and Named Standard and Extended Standard (ACLs) Standard IP ACLs can filter only on the source IP address inside an IP packet to filter the network Extended (ACLs) can filter on the source and destination IP address in the packet, the Protocol field in the Network-layer header (TCP, UDP, ICMP, etc), and port numbers in the Transport layer header.

Access lists can have the following applications: Inbound ACLs packets are processed through the ACL before being routed to the outbound interface. This is the most efficient form of ACL, as a packet that is dropped will not be looked-up in the routing table. If the packet is accepted it will then be processed before transmission. Outbound ACLs packets are routed to the outbound interface and then processed through the ACL, before being placed in the outbound queue. Processing Guidelines You can only have one ACL per protocol for each direction on each interface. An interface can have more than one ACL as long as there is only one per protocol. Access Lists are applied to the outbound direction if none is specified. The router cannot filter traffic that it originates itself. place the most restrictive statements at the top of the list. place the least restrictive statements at the bottom of the list. When a new test is added to the list, it is placed at the bottom of the list.
1/9

Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

Its not possible to remove a single line from an ACL its best to copy the ACL to a text editor before trying to edit the list. Unless the list contains a PERMIT ANY command, all packets will be discarded if they do not meet any of the lists tests. Each ACL should have at least one PERMIT statement, otherwise nothing will pass through the interface. standard ACLs should be placed as close to the destination of the traffic to be compared extended ACLs should be placed as close to the source of the traffic to be compared if the direction is not specified in either the Access-Group or the Access-Class command, the default is assumed to be OUT

ACL Placement - Standard and Extended ACLs worked example # 1

Standard ACLs the goal is to prevent 192.168.3.1 from accessing 10.0.0.1 then it makes sense to place the list on Router A : E0 : Outbound. This is clearly as close to the destination as possible between the two points in question: So on RouterA the following commands would be entered RouterA(config)#access-list 1 deny 192.168.3.1 0.0.0.0 RouterA(config)#access-list 1 permit any any RouterA(config)#interface e0 RouterA(config-if)#ip access-group 1 out Extended ACLs the goal is to prevent 192.168.3.1 from accessing the web services 10.0.0.1 then it makes sense to place the list on Router C : E1 : Inbound. This is clearly as close to the source as possible between the two points in question So on RouterC the following commands would be entered RouterC(config)#access-list 100 deny RouterC(config)#access-list 100 permit RouterC(config)#interface e1 RouterC(config-if)#ip access-group 100 in TCP host TCP any 192.168.3.1 host 10.0.0.1 eq www any

2/9

Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

Creating ACLs Access List ranges Range 1-99 & 100-199 & 800-899 900-999 1000-1099

1300-1999 2000-2699

List name IP standard access list IP extended access list IPX standard access list IPX extended access list SAP access list

There are two steps to creating ACLs first define the list and then apply it to the interface, OR - define the ACL and its parameters & then enable an interface to become part of the Access-List group Step1 router(config)#access-list [ # ] [ permit | deny ] [ source address ] [ wildcard mask ] [ log ] Step 2 router(config)#interface E0 router(config-if)#ip access-group router(config-line)#access-class

[#] [#]

[ in | out] [ in | out]

interface access control VTY access control

IN and OUT defined as traffic comes into the interface and as traffic leaves the interface respectively. Deleting ACLs router(config)#interface E0 router(config-if)#no access-list

10 permit

10.0.0.0

0.0.0.0

Wildcard masking allows you to specify an entire network or an individual host Wildcard masks tell the router which addressing bits must match in the address of the ACL statement i.e. the addresses we are interested in. Wildcards apply to subnet ranges and are easily calculated. They are more like an inverted subnet mask. 0.0.0.0 is also referred to as a host mask and means that the match must be exact to the ip address mentioned (default if no wildcard is not specified) 255.255.255.255 means the address can be anything in order to pass the comparison statement i.e. ANY) IP address 172.16.1.1 Wildcard mask 0.0.0.0 Matches Match host Matches exactly on address 172.16.1.1, and can be written as Permit host 172.16.1.1 Match a range Matches only on packets in the range Subtract the highest from the lowest 172.16.1.0 172.16.1.255 172.16.2.0 172.16.3.255 172.16.0.0 172.16.255.255 Match a subnet For any subnet, just subtract the SM from 255.255.255.255 255.255.255.255 255.255.255.0 = 0.0.0.255 255.255.255.255 255.255.128.0 = 0.0.127.255 255.255.255.255 255.255.255.224 = 0.0.0.31 255.255.255.255 255.255.255.192 = 0.0.0.63 255.255.255.255 Match all addresses Matches on any address, and can be written as Permit any
3/9

172.16.1.0 172.16.2.0 172.16.0.0

0.0.0.255 0.0.1.255 0.0.255.255

172.16.128.0 / 24 192.5.5.64 / 17 192.5.5.32 / 27 192.5.5.32 / 26 0.0.0.0

Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

Standard Numbered ACLs Standard ACL - worked example # 1 permit traffic from address 200.23.34.0, and deny all other traffic (remember that an implicit DENY ANY exists at the end of the rules, and also note that a source mask of 0.0.0.255 means the first 3 octets must be exact, whilst the 255 suggests anything can be here). this effectively means that we only want traffic addressed from the 200.23.34.x network, whatever the final octet happens to be Router#config t Router(config)#access-list 1 permit 200.23.34.0 0.0.0.255 Apply the above created list to incoming interface E0 Router(config)#interface E0 Router(config-if)#ip access-group 1 in Router(config-if)#exit Router# Standard ACL - worked example # 2 Permit all packets originating from network 10.1.1.0 255.255.255.128, but deny all packets originating from network 10.1.1.128 255.255.255.128 We also want to deny all packets originating from network 15.1.1.0 except for packets from a single host of 15.1.1.5 Router#config t Router(config)#access-list 2 permit 10.1.1.0 0.0.0.127 Router(config)#access-list 2 deny 10.1.1.128 0.0.0.127 The final criteria is to permit all other traffic not previously mentioned. The procedure will be as follows Router(config)#access-list 2 permit 15.1.1.5 (0.0.0.0 by default as its not explicitly mentioned) Router(config)#access-list 2 deny 15.1.1.0 0.0.0.255 Router(config)#access-list 2 permit any Apply the above created list to incoming interface E0 Router(config)#interface E0 Router(config-if)#ip access-group 2 in Router(config-if)#exit Router# Standard ACL - worked example # 3 Permit all packets originating from network 3.2.4.0 and subnet mask 255.255.255.0 255.255.255.255 255.255.255.0 = 0.0.0.255 (this is the wildcard mask) and effectively means match exactly the first 3 octets, and permit anything for the final octet. Router#config t Router(config)#access-list 3 permit 3.2.4.0 0.0.0.255 Apply the above created list to incoming interface E0 Router(config)#interface E0 Router(config-if)#ip access-group 3 in Router(config-if)#^Z Router# Standard ACL - worked example # 4 Given 111.2.4.112 subnet mask 255.255.255.224, permit the defined range 255.255.255.255 - 255.255.255.224 = the Wildcard mask is 0.0.0.31 Router(config)#access-list 1 permit 112.2.4.112 0.0.0.31 Standard ACL - worked example # 5 Given 157. 89. 16.0 157. 89. 31.255, permit the defined range We subtract the smaller from the bigger number to give the wildcard mask i.e. 157. 89. 31.255 - 157. 89. 16. 0 = 0. 0. 15.255 Router(config)#access-list 1 permit 157.89.16.0 0.0.15.255 Standard ACL - worked example # 6 deny telnet from the subnet 195.17.2.0/24 Define the access list
4/9

Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

Router(config)#access-list 12 deny 195.17.2.0 0.0.0.255 Router(config)#access-list 12 permit any Apply the access list Router(config)#int s0 Router(config-line)#ip access-group 12 in Router(config)#line vty 0 4 Router(config-line)#access-class 12 in

Extended Numbered ACLs These are much more flexible regarding matching than standard ACLs and can match on the following information: Source and destination IP address IP protocol TCP, UDP, ICMP, and so on Port information (WWW, DNS, FTP, TELNET, etc)

router(config)#access-list [ # ] [ permit | deny ] [ protocol ] [ source address ] [ wildcard mask ] [ destination address ] [ wildcard mask ] [ log ] IP protocol:

[ operator source port ] [ operator destination port ]

the type of protocol we want to match up (icmp | tcp | udp | igrp). To match on any IP protocol use the IP keyword for the protocol keyword for tcp and udp (and no other protocol) you can specify port numbers or names to match on a specific application (lt, gt, neq, eq, range) TCP port names TCP FTP TELNET SMTP DNS TFTP WWW SNMP RIP
5/9

operators:

Port Number 6 17 21 23 25 53 69 80 161 520

UDP port names

Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

Extended ACL - worked example # 1 Router(config)#access-list 101 permit tcp any 172.16.0.0 0.0.255.255 log Any tcp session that comes from anywhere and is destined for 172.16.0.0/16 will be permitted and printed to the router console Router(config)#access-list 101 permit udp any host 172.16.1.1 eq dns log Allows dns traffic from any source thats destined for host 172.16.1.1 will be permitted and printed on the router console Router(config)#access-list 101 permit tcp 172.17.0.0 0.0.255.255 host 176.16.1.2 eq telnet log Allows telnet traffic from network 172.17.0.0/16 if the destination ip address is 176.16.1.2 and logs the output to the router console Router(config)#access-list 101 permit icmp any 176.16.0.0 0.0.255.255 echo-reply log Allows any replies to a ping back to network 176.16.0.0/16 and the match to be logged to the router console Router(config)#access-list 101 deny any any log The equivalent of an implicit deny but it is logged to the console screen Router(config)#interface E0 Router(config-if)#ip access-group 101 in Extended ACL - worked example # 2 Router(config)#access-list 102 permit tcp host 199.199.199.1. 200.200.200.1 eq dns DNS traffic from host 199.199.199.1 to be permitted to 200.200.200.1 Router(config)#access-list 102 permit udp any host 200.200.200.1 eq dns Permit dns traffic from anywhere to host 200.200.200.1 Router(config)#access-list 102 permit tcp any host 200.200.200.2 eq www Permit www traffic from any host to host 200.200.200.2 (effectively restricts web traffic to this one machine) Router(config)#access-list 102 permit icmp any 200.200.200.0 0.0.0.255 Permit any icmp messages from anywhere to be forwarded to the 200.200.200.0/24 network Router(config)#access-list 102 permit tcp any host 200.200.200.3 eq smtp Permit all smtp traffic destined for host 200.200.200.3 Router(config)#access-list 102 permit udp any any eq rip Permits all RIP traffic from anywhere to anywhere Router(config)#interface E0 Router(config-if)#ip access-group 102 in Extended ACL - worked example # 3 This is an extended access list that permits source packets matching the first three octets of the 131.107.30.0 address. Furthermore, the any keyword specifies that all destinations will be accepted Router(config)#access-list 104 permit tcp 131.107.30.0 0.0.0.255 any Extended ACL - worked example # 4 The subnet 10.0.1.0/24 that has the accounting servers on it. Add a statement to your existing access-list to prevent users from telnetting to those servers Router(config)#access-list 105 deny tcp any 10.0.1.0 0.0.0.255 eq telnet Extended ACL - worked example # 5 Restrict access on interface E1 = 207.87.81.173 Deny access to TELNET, FTP, SMTP - allow all other types of operations Router(config)#access-list 106 deny tcp any any eq 21 - ftp Router(config)#access-list 106 deny tcp any any eq 23 - telnet Router(config)#access-list 106 deny tcp any any eq 25 - smtp Router(config)#access-list 106 permit any Router(config)#interface E1 Router(config-if)#ip access-group 106 in Extended ACL - worked example # 6 This permits all source addressed tcp packets to reach 131.107.10.x Router(config)#access-list 106 permit tcp any 131.107.10.0 0.0.0.255 Extended ACL - worked example # 7 This denies all telnet traffic heading towards network 131.107.0.0 on our routers outbound interface
6/9

Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

Router(config)#access-list 107 deny tcp any 131.107.0.0 0.0.255.255 eq telnet Router(config)#ip access-group 107 out Extended ACL - worked example # 8 to deny telnet access from Networks 192.168.11.0 and 192.168.21.0 Router(config)#access-list 108 deny tcp 192.168.11.0 0.0.0.255 any eq 23 Router(config)#access-list 108 deny tcp 192.168.21.0 0.0.0.255 any eq 23 Router(config)#access-list 108 permit any any Router(config)#interface s0 Router(config)#ip access-group 108 in For a given set of routers, deny telnet access to one of these routers Router(config)#access-list 108 deny tcp any Router(config)#access-list 108 permit ip any Router(config)#interface s0 Router(config)#ip access-group 108 in Extended ACL - worked example # 9

host any

<ip_int_s0>

eq

23

to prevent all traffic originating on the Paris LAN from entering the TestKing2 router TestKing2(config)#access-list 109 deny tcp 192.168.45.0 0.0.0.255 any TestKing2(config)#access-list 109 permit any any TestKing2(config)#interface S0 TestKing2(config-if)#ip access-group 109 in Extended ACL - worked example # 10

It has become necessary to prevent accounting department users on the TestKing1 router from accessing WWW services on the Human Resources server attached to interface E0 of the TestKing2 router. The following ACL has been created: On which interface and in which direction should this ACL be placed to prevent accounting users from accessing the network attached to the E0 interface of the TestKing2 router? Access to other networks should be unaffected The subnetwork address for accounting users in TestKing1 is 192.168.16.128. The aim is to prevent accounting
7/9

Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

users from accessing Human Resources server in TestKing2. Since its an extended ACL, then its at the furthest point from the accounting users TestKing2 : E0 : Outbound E1 is entry point in TestKing1 for accessing Human resource server. So we have to place an ACL at interface E0 at Testking2 to prevent WWW traffic from Accounting users via TestKing1 getting to the Human Resources server. TestKing2(config)#access-list 110 deny tcp 192.168.16.128 0.0.0.31 eq WWW The second line in permits all other traffic entering interface E0 on TestKing2 TestKing2(config)#access-list 110 permit any TestKing2(config)#interface E0 TestKing2(config-if)#ip access-group 110 out

Named ACLs Starting with Cisco IOS 11.2 routers support both numbered and named ACLs. They allow more than 99 Standard and 100 Extended ACLs to be created. Syntax: router(config)#access-list

standard | extended

ACL_name

once entered the appropriate sub-configuration mode is entered and the ACL commands are entered: router(config-std-acl)# permit | deny {source address} {wildcard mask} router(config-ext-acl)# PERMIT | DENY {protocol} {source address and wildcard mask} {operator source_port} {destination address and wildcard mask} {operator destination_port} {LOG} then we activate the list: router(config)#interface type [modules_#] port_# router(config-if)#ip access-group {ACL_name} in | out

Named ACLs - worked example # 1 Same as extended ACL worked example #1 Router(config)#ip access-list extended do_not_enter Router(config-ext-acl)#permit tcp any 172.16.0.0 0.0.255.255 log Router(config-ext-acl)#permit udp any host 172.16.1.1 eq dns log Router(config-ext-acl)#permit tcp 172.17.0.0 0.0.255.255 host 176.16.1.2 eq telnet log Allows telnet traffic from network 172.17.0.0/16 if the destination ip address is 176.16.1.2 and logs the output to the router console Router(config-ext-acl)#permit icmp any 176.16.0.0 0.0.255.255 echo-reply log Router(config-ext-acl)#deny any any log Router(config)#interface E0 Router(config-if)#ip access-group do_not_enter in

ACL Verification Verify configuration and show all ACLs using Router(config)#show running-config To see which ACLs are acting on a particular interface, use the Router(config)#show interface [ # ] To see the placement and direction of IP ACLs, use the Router(config)#show ip interfaces [ # ]
8/9

Course 640-801 : CCNA

6.0 - IP Access Lists

[Author: CCNA640801@nym.hush.com]

To see statements in the ACLs use the following commands (also shows the # of matches against each ACL) Router(config)#show access-list [ # ] To show all IP ACLs and counters Router#show ip access-list To show IP ACL 100 Router#show ip access-list 100 To clear the counters use Router(config)#show access-list [ # ] Router(config)#clear access-list counter [ # ]

Network Address Translation (NAT) NAT is the process of swapping one address for another in the IP packet header; ideal for translating between unregistered and registered IP addresses the 3 types of NAT are: overload - another term for Port Address Translation (PAT). It has a many-to-one mapping dynamic static Three benefits of NAT: It eliminates readdressing overhead of hosts that require external access It conserves IP addresses through application port-level multiplexing It hides the internal network, providing a small level of network security

9/9