Exploration Accessing WAN Chapter5
Transcript of Exploration Accessing WAN Chapter5
-
7/30/2019 Exploration Accessing WAN Chapter5
1/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 1Version 4.0
Access Control Lists
Accessing the WAN Chapter 5
-
7/30/2019 Exploration Accessing WAN Chapter5
2/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 2
Access Control Lists Defined
For Cisco, an Access Control List is a sequential listof permit or deny statements that apply to addressesor upper-layer protocols
They are similar to if-then statements in programming
- e.g. If a packet with this IP address, 192.168.10.2comes into this interface, serial 0/0/0 then deny thepacket
They are used to filter packets coming into a router inorder to provide security
-
7/30/2019 Exploration Accessing WAN Chapter5
3/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 3
Packet Filtering Packet filtering exists at
Layer 3 It is the process in
which the routerexamines the IP header
of each packet to see ifthe IP address matchesan ACL configured onthe router
If there is a match, thenthere will be anapprove or denydepending on how the
ACL is configured
-
7/30/2019 Exploration Accessing WAN Chapter5
4/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 4
Types Of Filtering
ACLs can be configured to use any of the following for packet
filtering:Source IP address
Destination IP address
ICMP message type The ACL can also extract upper layer information and test it
against its rules. Upper layer information includes:
TCP/UDP source port
TCP/UDP destination port
-
7/30/2019 Exploration Accessing WAN Chapter5
5/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 5
The Three Ps of ACLs
-
7/30/2019 Exploration Accessing WAN Chapter5
6/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 6
Inbound vs Outbound ACLs
There are two types of ACLs:
Inbound ACLs Incoming packets are processedbefore theyre routed to the outbound interface
Outbound ACLs Incoming packets are routed to theoutbound interface and then theyre processed
Also, ACLs are processed one at a time, in order
As soon as there is a match, the ACL is acted upon
At the end of every ACL list, there is an implicit deny
If the packet doesnt match any of the criteria, then it willautomatically be discarded, unless you state otherwise
-
7/30/2019 Exploration Accessing WAN Chapter5
7/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 7
Standard ACLs
Standard ACLs filter packets based on source IP addresses
only
Standard ACLs can be numbered from 1 99 and 1300 1999
They can be either a permit or deny
Below is an example of a standard ACL
- Notice the use of wildcard masks with ACLs
-
7/30/2019 Exploration Accessing WAN Chapter5
8/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 8
Extended ACLs
Extended ACLs can be used to filter packets based on source
and destination IP addresses, ports, and protocol type Extended ACLs can be numbered 100 199 and 2000 - 2699
Below you see that we have to identify tcp or udp
- also, we include the any eq 80 which means that any packetthat is being used for http can pass through the router
-
7/30/2019 Exploration Accessing WAN Chapter5
9/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 9
Questions!!!
What three parameters can ACLs use to filter traffic?
How do standard ACLs filter traffic?
What happens if a packet does not match any of thedefined ACL statements?
What are the three Ps of ACLs?
-
7/30/2019 Exploration Accessing WAN Chapter5
10/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 10
ACL Placement Placement is important so that our filters are used as efficiently as possible
Standard ACLs are placed closest to the destination
If we want to stop Accounting from accessing the Human Resources server, wedplace the Standard ACL on port E0 of the Lab_B router
-
7/30/2019 Exploration Accessing WAN Chapter5
11/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 11
ACL Placement Example
Where would we place the standard ACL if we wanted to deny
all of the connected hosts from accessing the Internet? How would we configure it?
-
7/30/2019 Exploration Accessing WAN Chapter5
12/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 12
ACL Placement Solution
-
7/30/2019 Exploration Accessing WAN Chapter5
13/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 13
Extended ACL Placement Extended ACLs are placed closest to the source preventing any
bandwidth from being wasted
If we wanted to deny access from a host computer 172.16.30.5in Finance from using Telnet or FTP, wed create the following
ACL and place it on port E1
-
7/30/2019 Exploration Accessing WAN Chapter5
14/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 14
ACL Best Practices
-
7/30/2019 Exploration Accessing WAN Chapter5
15/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 15
Removing ACLs
Use the show access-list command to view your access lists
Use the no access-list command to remove access-lists
-
7/30/2019 Exploration Accessing WAN Chapter5
16/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 16
Document Your ACLs
Documenting your ACLs helps you to easily see whatthey were put in place to do
-
7/30/2019 Exploration Accessing WAN Chapter5
17/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 17
The Any and Host Keywords
The any statement is the same thing as typing in 0.0.0.0255.255.255.255 which means all IP addresses match
The host statement is the same as typing in a subnet mask of0.0.0.0 which would mean that the IP address has to match
-
7/30/2019 Exploration Accessing WAN Chapter5
18/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 18
Named ACLs
Named ACLs can be used for either standard orextended ACLs
They are useful in keeping track of what an ACL doesfor you
-
7/30/2019 Exploration Accessing WAN Chapter5
19/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 19
Named Access Lists
Example 1 shows using remark to define what the access-list is
used for so that you dont have to remember Example 2 shows using the ip access-list extended
TELNETTING command to create a Named Access List as wellas providing a remark
-
7/30/2019 Exploration Accessing WAN Chapter5
20/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 20
Named Access List Example
-
7/30/2019 Exploration Accessing WAN Chapter5
21/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 21
Editing ACLs - Named Access-List
With Named Access Lists, you have the ability to add additional ACLs afteryou have created your original ACL
In the example below, we are inserting an additional permit statement for ahost that we had left out when we created the original ACL group
-
7/30/2019 Exploration Accessing WAN Chapter5
22/36
-
7/30/2019 Exploration Accessing WAN Chapter5
23/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 23
Questions!!!
Where should a standard access list be placed? Where should an extended access list be placed?
Why would we use a Named ACL?
What is an advantage that a Named ACL has over a Standard orExtended ACL?
-
7/30/2019 Exploration Accessing WAN Chapter5
24/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 24
Dynamic (Lock-and-Key) ACLs Dynamic ACLs are also known as lock-and-key ACLs
- You apply an Extended ACL to block traffic through the router
- Users can only get access through the router if they Telnet into the routerand areauthenticated to access the network
- The Dynamic ACL is used in conjunction with an Authentication, Authorization,and Accounting (AAA) server or a TACACS+ server
- It is useful if you need to allow a user through your firewall from the Internet
-
7/30/2019 Exploration Accessing WAN Chapter5
25/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 25
Configuring Dynamic (Lock-and-Key) ACLs1. Set a login name and password
2. Configure the Dynamic Access List. This allows the user to Telnet to therouter. The window will be opened for 15 minutes.
3. Place the Access List
4. Once authenticated with telnet, telnet closes and the user will be able toaccess the network. 5 minutes of inactivity will cause the window to close.
-
7/30/2019 Exploration Accessing WAN Chapter5
26/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 26
Reflexive ACLs Used to allow IP traffic for sessions originated from within the
trusted network to an untrusted network
Denies IP traffic that originates from outside of the trustednetwork
Can only be created as a Named ACL
-
7/30/2019 Exploration Accessing WAN Chapter5
27/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 27
Configuring Reflexive ACLs 1. Create the Named ACL using the reflect command to allow for the router to
track any traffic generated from inside the network
2. Evaluate causes all incoming traffic to be reviewed to see if it wasgenerated from inside the trusted network
3. Applies both an inbound and an outbound ACL to the interface
-
7/30/2019 Exploration Accessing WAN Chapter5
28/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 28
Time-Based ACLs
Time-Based ACLs allow you to control when yournetwork can be accessed
-
7/30/2019 Exploration Accessing WAN Chapter5
29/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 29
Configuring Time-Based ACLs
1. Define the time range and provide a name for the
ACL 2. Apply the time range to the ACL
3. Apply the ACL to the interface
-
7/30/2019 Exploration Accessing WAN Chapter5
30/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 30
Questions!!!
What is another name for a Dynamic ACL?
What is it used for?
What is the purpose of a Reflexive ACL?
What is the purpose of a Time-Range ACL?
-
7/30/2019 Exploration Accessing WAN Chapter5
31/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 31
Troubleshooting ACL Errors Why cant host 192.168.10.10 telnet to 192.168.30.12
Host 192.168.10.10 cant connect because the ACL wasconfigured out of sequence (20 should be first)
-
7/30/2019 Exploration Accessing WAN Chapter5
32/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 32
Troubleshooting ACL Errors 192.168.10.0/24 network cant use TFTP because TFTP uses
UDP not TCP
Since the permit statement is permit tcp any any there is animplicit deny for all UDP traffic
-
7/30/2019 Exploration Accessing WAN Chapter5
33/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 33
Troubleshooting ACL Errors 192.168.10.0 /24 network can telnet to connect to the 192.168.30.0 /24
network, but should not be able to do so
The ACL statement in line 10 was written incorrectly
Should have been access-list 10 deny tcp any any eq telnet
-
7/30/2019 Exploration Accessing WAN Chapter5
34/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 34
Troubleshooting ACL Errors Host 192.168.10.10 can use Telnet to connect to 192.168.30.12,
but isnt supposed to be able to connect
The Telnet deny statement doesnt apply to 192.168.10.10
-
7/30/2019 Exploration Accessing WAN Chapter5
35/36
2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 35
Troubleshooting ACL Errors Host 192.168.30.12 can use Telnet to connect to 192.168.10.10, but isnt
supposed to be able to connect
The Telnet deny statement has been placed in the wrong direction
-
7/30/2019 Exploration Accessing WAN Chapter5
36/36