Extended Access Control Lists

advertisement
Extended Access Control
Lists
Extended ACLs Can Filter on One
or Many Data Fields
Extended ACLs – Creating an
Extended Access List
As with standard lists, the access-list command is used to create each condition
of the list – using one condition per line. The syntax for each line in the list is:
access-list access-list-number {permit | deny} {protocol | protocol
keyword} {source | any} [source-wildcard] [source port] {destination |
any} [destination-wildcard] [destination port] [options]
Example:
Lab-X#config t
Lab-X(config)#Access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq www
Lab-X(config)#Access-list 101 deny tcp any any eq ftp
Lab-X(config)#Access-list 101 permit ip any any
Lab-X(config)#interface Fastethernet 0/0
Lab-X(config-if)#ip access-group 101 out
The access list-number range for IP extended access lists is 100 to 199.
The protocol entry defines the protocol to be filtered, such as IP, TCP, UDP, or
ICMP for example. Because IP headers transport TCP, UDP, and ICMP, it is
important to specify the protocol or you could end up inadvertently filtering
more than you want to.
Extended ACLs – TCP Relational
Operators
The access list TCP protocol option supports both source and
destination ports. You can access each by using either the port
number or a mnemonic or acronym. Keyword relational operators
such as those shown in the following code output precede these:
Lab-X(config)#access-list 101 deny tcp any ?
A.B.C.D Destination address.
any
Any destination host.
eq
Match only packets on a given port number.
gt
Match only packets with a greater port number.
host
A single destination host.
lt
Match only packets with a lower port number.
neq
Match only packets not on a given port number.
range
Match only packets in the range of port numbers.
Extended ACLs – Protocol
Identifiers
After choosing a relational operator, specify a mnemonic (or acronym) or
port number, such as the following code output for the TCP port names:
Lab-X(config)#access-list 101 deny tcp any eq ?
<0-65535>
Port number
bgp
Border Gateway Protocol (179)
chargen
Character generator (19)
cmd
Remote commands (rcmd, 514)
daytime
Daytime (13)
discard
Discard (9)
domain
Domain Name Service (53)
echo
Echo (7)
exec
Exec (rsh, 512)
finger
Finger (79)
ftp
File Transfer Protocol (21)
--Some output omitted—
uucp
Unix-to-Unix Copy Program (540)
whois
Nicname (43)
www
World Wide Web (HTTP, 80)
UDP and TCP Port Numbers
Extended ACLs – TCP Example
The first statement could have used the mnemonic “telnet” in place of 23
with exactly the same result. The one advantage to using the mnemonic
is that it is more intuitive to anyone having to support the device.
Lab-X#config t
Lab-X(config)#access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23
Lab-X(config)#access-list 101 permit ip any any
Lab-X(config)#interface fastethernet 0/1
Lab-X(config-if)#ip access-group 101 in
If you want to block network 192.168.5.0 from being able to surf the Web
while still allowing other services such as FTP, use this code:
Lab-X#config t
Lab-X(config)#access-list 106 deny tcp 195.168.5.0 0.0.0.255 any eq www
Lab-X(config)#access-list 106 permit ip any any
Lab-X(config)#interface ethernet 0
Lab-X(config-if)#ip access-group 106 in
Extended ACLs – Blocking RIP
Routing Updates
One example of using ACLs with UDP packets would be to block RIP
routing updates from passing out a particular interface using an ACL
such as the following:
Lab-X#config t
Lab-X(config)#access-list 150 deny udp any any eq rip
Lab-X(config)#access-list 150 permit ip any any
Lab-X(config)#int e0
Lab-X(config-if)#ip access-group 150 out
Important Concept for Extended
ACLs
Both ACLs below implicitly deny all other IP traffic, not just all other TCP
traffic. A common mistake many people make is assuming that because
they specified only TCP in the main statement(s), they need only to refer
to TCP in the final permit any statement (102 below).
The unplanned result would be that all ICMP and UDP traffic matching
the address/protocol criteria would be blocked (102 below).
ACL 101’s permit IP any any statement will allow all other traffic.
Lab-X#config t
Lab-X(config)#Access-list 101 deny tcp any 192.168.1.25 eq ftp
Lab-X(config)#Access-list 101 permit IP any any
Lab-X(config)#Access-list 102 deny tcp 10.0.0.0 0.255.255.255
192.168.1.1 eq ftp
Lab-X(config)#Access-list 102 permit TCP any any
Lab-X(config)#interface Fastethernet 0/0
Lab-X(config-if)#ip access-group 101 out
Lab-X(config-if)#ip access-group 102 in
Extended Access List Processing
Named ACLs – Basics
The Cisco IOS release supports using named access lists rather than
the traditional number designations. This ability to name a list makes
them easier to recognize and can make them easier to debug.
Another advantage is that it is possible to delete individual entries
from a specific ACL instead of erasing the entire list.
A couple things to consider when implementing named ACLs:
1. Names, like numbers, must be unique on each router.
2. Named ACLs do not work with IOS releases prior to 11.2.
The first step is to create the ACL using the following syntax:
Router(config)#ip access-list {standard | extended} name
Example:
Lab-X(config)#ip access-list extended BlockInternet
Named ACLs – Example
Lab-X#conf t
Lab-X(config)#ip access-list ?
(to see the options)
extended
Extended Access List
log-update Control access list log updates
logging
Control access list logging
standard
Standard Access List
Lab-X(config)#ip access-list standard ProtectLAN
Lab-X(config-std-nacl)#deny 192.168.20.0 0.0.0.255
Lab-X(config-std-nacl)#deny 192.168.30.0 0.0.0.255
Lab-X(config-std-nacl)#permit any
Lab-X(config-std-nacl)#exit
Lab-X(config)#ip access-list extended FilterOutside
Lab-X(config-ext-nacl)#permit tcp any 192.168.5.0 0.0.0.255 established
Lab-X(config-ext-nacl)#deny icmp any 192.168.5.0 0.0.0.255
Lab-X(config-ext-nacl)#permit ip any any
Lab-X(config-ext-nacl)#^Z
Lab-X#
Named ACLs are applied to interfaces the same as other ACLs.
ACL Placement
Standard ACLs must be placed close to the destination.
Extended ACLs should be placed close to the source.
ACLs and Firewall Routers
Border routers are charged with providing network security from
potential attacks from outside the network. The figure shows the
simplest situation where the border router becomes the clear
demarcation between the network and the rest of the world.
Typically intruders come from the global Internet and the
thousands of networks connected to it.
ACLs and Firewall Routers
Another type of firewall implementation uses two or more routers
to provide the security. The border router, A, is ultimately
responsible for securing the LAN(s).
The firewall router, F, is responsible for protecting both the shared
servers and the internal networks from attack from outside. In an
optimal solution, this would be a specialty device like Cisco’s PIX
box, which combines hardware and software to secure the
connection. Whether a specialty device or a router with the firewall
feature set, ACLs will be a part of the solution.
Verifying ACLs
Lab-X#show ip interface
Ethernet0 is up, line protocol is up
Internet address is 192.168.5.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is 50
Inbound access list is 70
Proxy ARP is enabled
The show ip interface command will tell whether an inbound or
outbound access list has been applied to an interface. Rows 9 and 10
above contain the information. The rest of the lines do not pertain to
ACLs, so they have been omitted.
The show access-lists Command
Lab-X#show access-lists
Standard IP access list 50
deny
192.168.1.10 log
permit any
Standard IP access list 75
deny
192.168.17.123
deny
192.168.1.10
permit any
Lab-X#
The show access-lists command will display all access lists on the
router but does not show whether or where they are applied.
Another command, show ip access-lists, would include only IP access
lists. Both commands enable you to specify an ACL number or name
after the command to display just that ACL.
The show run Command
Lab-X#show run
hostname Lab-X
!
! (output abbreviated)
!
access-list 50 deny
192.168.1.10 log
access-list 50 permit any
access-list 75 deny
192.168.17.123
access-list 75 deny
192.168.1.10
access-list 75 permit any
!
One way to see your access lists and how they are applied is to use the
show run command to see the active configuration. The above lines
show the output of a show run command with some of the unrelated
lines removed.
Verifying Named ACLs
Lab-X#show run
!
(output edited and omitted)
ip access-list standard ProtectLAN
deny
192.168.20.0 0.0.0.255
deny
192.168.30.0 0.0.0.255
permit any
!
ip access-list extended FilterOutside
permit tcp any 192.168.5.0 0.0.0.255 established
deny
icmp any 192.168.5.0 0.0.0.255
permit ip any any
!
Lab-X#show access-list
Standard IP access list ProtectLAN
deny
192.168.20.0, wildcard bits 0.0.0.255
deny
192.168.30.0, wildcard bits 0.0.0.255
permit any
Extended IP access list FilterOutside
permit tcp any 192.168.5.0 0.0.0.255 established
deny icmp any 192.168.5.0 0.0.0.255
permit ip any any
Lab-X#
Download