Exploration Accessing WAN Chapter5

7/30/2019 Exploration Accessing WAN Chapter5

1/36

2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 1Version 4.0

Access Control Lists

Accessing the WAN Chapter 5


2/36

2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 2

Access Control Lists Defined

For Cisco, an Access Control List is a sequential listof permit or deny statements that apply to addressesor upper-layer protocols

They are similar to if-then statements in programming

- e.g. If a packet with this IP address, 192.168.10.2comes into this interface, serial 0/0/0 then deny thepacket

They are used to filter packets coming into a router inorder to provide security


3/36


Packet Filtering Packet filtering exists at

Layer 3 It is the process in

which the routerexamines the IP header

of each packet to see ifthe IP address matchesan ACL configured onthe router

If there is a match, thenthere will be anapprove or denydepending on how the

ACL is configured


4/36


Types Of Filtering

ACLs can be configured to use any of the following for packet

filtering:Source IP address

Destination IP address

ICMP message type The ACL can also extract upper layer information and test it

against its rules. Upper layer information includes:

TCP/UDP source port

TCP/UDP destination port


5/36


The Three Ps of ACLs


6/36


Inbound vs Outbound ACLs

There are two types of ACLs:

Inbound ACLs Incoming packets are processedbefore theyre routed to the outbound interface

Outbound ACLs Incoming packets are routed to theoutbound interface and then theyre processed

Also, ACLs are processed one at a time, in order

As soon as there is a match, the ACL is acted upon

At the end of every ACL list, there is an implicit deny

If the packet doesnt match any of the criteria, then it willautomatically be discarded, unless you state otherwise


7/36 2006 Cisco Systems, Inc. All r ights reserved. Cisco Public 7

Standard ACLs

Standard ACLs filter packets based on source IP addresses

only

Standard ACLs can be numbered from 1 99 and 1300 1999

They can be either a permit or deny

Below is an example of a standard ACL

- Notice the use of wildcard masks with ACLs



Extended ACLs

Extended ACLs can be used to filter packets based on source

and destination IP addresses, ports, and protocol type Extended ACLs can be numbered 100 199 and 2000 - 2699

Below you see that we have to identify tcp or udp

- also, we include the any eq 80 which means that any packetthat is being used for http can pass through the router



Questions!!!

What three parameters can ACLs use to filter traffic?

How do standard ACLs filter traffic?

What happens if a packet does not match any of thedefined ACL statements?

What are the three Ps of ACLs?



ACL Placement Placement is important so that our filters are used as efficiently as possible

Standard ACLs are placed closest to the destination

If we want to stop Accounting from accessing the Human Resources server, wedplace the Standard ACL on port E0 of the Lab_B router



ACL Placement Example

Where would we place the standard ACL if we wanted to deny

all of the connected hosts from accessing the Internet? How would we configure it?



ACL Placement Solution



Extended ACL Placement Extended ACLs are placed closest to the source preventing any

bandwidth from being wasted

If we wanted to deny access from a host computer 172.16.30.5in Finance from using Telnet or FTP, wed create the following

ACL and place it on port E1



ACL Best Practices



Removing ACLs

Use the show access-list command to view your access lists

Use the no access-list command to remove access-lists



Document Your ACLs

Documenting your ACLs helps you to easily see whatthey were put in place to do



The Any and Host Keywords

The any statement is the same thing as typing in 0.0.0.0255.255.255.255 which means all IP addresses match

The host statement is the same as typing in a subnet mask of0.0.0.0 which would mean that the IP address has to match



Named ACLs

Named ACLs can be used for either standard orextended ACLs

They are useful in keeping track of what an ACL doesfor you



Named Access Lists

Example 1 shows using remark to define what the access-list is

used for so that you dont have to remember Example 2 shows using the ip access-list extended

TELNETTING command to create a Named Access List as wellas providing a remark



Named Access List Example



Editing ACLs - Named Access-List

With Named Access Lists, you have the ability to add additional ACLs afteryou have created your original ACL

In the example below, we are inserting an additional permit statement for ahost that we had left out when we created the original ACL group


22/36



Questions!!!

Where should a standard access list be placed? Where should an extended access list be placed?

Why would we use a Named ACL?

What is an advantage that a Named ACL has over a Standard orExtended ACL?



Dynamic (Lock-and-Key) ACLs Dynamic ACLs are also known as lock-and-key ACLs

- You apply an Extended ACL to block traffic through the router

- Users can only get access through the router if they Telnet into the routerand areauthenticated to access the network

- The Dynamic ACL is used in conjunction with an Authentication, Authorization,and Accounting (AAA) server or a TACACS+ server

- It is useful if you need to allow a user through your firewall from the Internet


25/36


Configuring Dynamic (Lock-and-Key) ACLs1. Set a login name and password

2. Configure the Dynamic Access List. This allows the user to Telnet to therouter. The window will be opened for 15 minutes.

3. Place the Access List

4. Once authenticated with telnet, telnet closes and the user will be able toaccess the network. 5 minutes of inactivity will cause the window to close.


26/36


Reflexive ACLs Used to allow IP traffic for sessions originated from within the

trusted network to an untrusted network

Denies IP traffic that originates from outside of the trustednetwork

Can only be created as a Named ACL


27/36


Configuring Reflexive ACLs 1. Create the Named ACL using the reflect command to allow for the router to

track any traffic generated from inside the network

2. Evaluate causes all incoming traffic to be reviewed to see if it wasgenerated from inside the trusted network

3. Applies both an inbound and an outbound ACL to the interface


28/36


Time-Based ACLs

Time-Based ACLs allow you to control when yournetwork can be accessed


29/36


Configuring Time-Based ACLs

1. Define the time range and provide a name for the

ACL 2. Apply the time range to the ACL

3. Apply the ACL to the interface


30/36


Questions!!!

What is another name for a Dynamic ACL?

What is it used for?

What is the purpose of a Reflexive ACL?

What is the purpose of a Time-Range ACL?


31/36


Troubleshooting ACL Errors Why cant host 192.168.10.10 telnet to 192.168.30.12

Host 192.168.10.10 cant connect because the ACL wasconfigured out of sequence (20 should be first)


32/36


Troubleshooting ACL Errors 192.168.10.0/24 network cant use TFTP because TFTP uses

UDP not TCP

Since the permit statement is permit tcp any any there is animplicit deny for all UDP traffic


33/36


Troubleshooting ACL Errors 192.168.10.0 /24 network can telnet to connect to the 192.168.30.0 /24

network, but should not be able to do so

The ACL statement in line 10 was written incorrectly

Should have been access-list 10 deny tcp any any eq telnet


34/36


Troubleshooting ACL Errors Host 192.168.10.10 can use Telnet to connect to 192.168.30.12,

but isnt supposed to be able to connect

The Telnet deny statement doesnt apply to 192.168.10.10


35/36


Troubleshooting ACL Errors Host 192.168.30.12 can use Telnet to connect to 192.168.10.10, but isnt

supposed to be able to connect

The Telnet deny statement has been placed in the wrong direction


36/36

Exploration Accessing WAN Chapter5

Documents

Transcript of Exploration Accessing WAN Chapter5