| By Sheldon L | Published at 2020-05-25 | Updated at 2020-05-25 |
Access Lists:
Here’s a list of rules to live by when configuring ACLs from the Internet to your production network to mitigate security problems:
Corp(config)# access-list ?
<1-99> IP standard access list **
<100-199> IP extended access list **
<1000-1099> IPX SAP access list xx
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list xx
<1300-1999> IP standard access list (expanded range) **
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range) **
<2700-2799> MPLS access list
<300-399> DECnet access list xx
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list xx
<900-999> IPX extended access list xx
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
! Note: IPX and DECnet would no longer be used in any of today’s networks.
!
! Standard
Corp(config)# access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
Corp(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
Corp(config)# access-list 10 deny host 172.16.30.2
Corp(config)# access-list 10 deny 172.16.10.0 0.0.0.255
(X) Lab_A:
S0/0/0 ------ Internet
F0/0 ---- [_] Sales 172.16.40.0/24
F0/1 ---- [_] Finace 172.16.50.0/24
F1/1 ---- [_] Marketing 172.16.60.0/24
Set the Sales Permitted to Internet, but Denied to Finace.
Corp(config)# access-list 10 ?
Lab_A(config)# access-list 10 deny 172.16.40.0 0.0.0.255
Lab_A(config)# access-list 10 permit any
! OR
Lab_A(config)# access-list 10 permit 0.0.0.0 255.255.255.255
Lab_A(config)# int fa0/1
Lab_A(config-if)# ip access-group 10 out
! Doing this completely stops traffic from 172.16.40.0 from getting out FastEthernet0/1.
! It has no effect on the hosts from the Sales LAN accessing the Marketing LAN and the Internet
! because traffic to those destinations doesn’t go through interface Fa0/1.
(X) Lab_B: E0 ---- [|] Human Resources server 192.168.10.222/27
|
(X) Lab_A:
E0 192.168.10.161/27 ---- [_] Human Resources
E1 192.168.10.129/27 ---- [_] Accouting
Put an ALC in Lab_B, apply to interface E0 of Lab_B as outbound list towards server
Lab_B(config)# access-list 10 deny 192.168.10.128 0.0.0.31
Lab_B(config)# access-list 10 permit any
Lab_B(config)# interface Ethernet 0
Lab_B(config-if)# ip access-group 10 out
Internet
(X) Router:
S0 ----------- Internet
E0 ---- [_] 172.16.144.17/19
E1 ---- [_] 172.16.50.173/20
E2 ---- [_] 172.16.198.94/18
E3 ---- [_] 172.16.92.10/21
Write an access list that will stop access from each of the four LANs.
Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255
Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255
Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255
Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255
! OR, with one line
Router(config)#access-list 1 deny 172.16.0.0 0.0.255.255
Router(config)#access-list 1 permit any
Router(config)#interface serial 0
Router(config-if)#ip access-group 1 out
access-class in command.Lab_A(config)# access-list 50 permit host 172.16.10.3
Lab_A(config)# line vty 0 4
Lab_A(config-line)# access-class 50 in
Corp(config)# access-list 110 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
Corp(config)# access-list 110 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
Corp(config)# access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
Corp(config)# access-list 110 deny tcp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
Corp(config)# access-list 110 deny tcp any host 172.16.30.2 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
! implicit deny by default the next line
! So we’ve got to follow up:
Corp(config)#access-list 110 permit ip any any
! OR
Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Corp(config)# interface ?
Corp(config-if)#ip access-group 110 in
! OR
Corp(config-if)#ip access-group 110 out
(X) Lab_A:
S0/0/0 ------ Internet
F0/0 ---- [_] Sales 172.16.40.0/24
F0/1 ---- [_] Finace 172.16.50.0/24
F1/1 ---- [_] Marketing 172.16.60.0/24
Deny access to a host at 172.16.50.5 on the finance department LAN for both Telnet and FTP services
Lab_A# config t
Lab_A(config)# access-list 110 deny tcp any host 172.16.50.5 eq 21
Lab_A(config)# access-list 110 deny tcp any host 172.16.50.5 eq 23
Lab_A(config)# access-list 110 permit ip any any
Lab_A(config)# int fa0/1
Lab_A(config-if)# ip access-group 110 out
Internet
(X) Router:
S0 ----------- Internet
E0 ---- [_] 172.16.144.17/19
E1 ---- [_] 172.16.50.173/20
E2 ---- [_] 172.16.198.94/18
E3 ---- [_] 172.16.92.10/21
Prevent Telnet access to the networks attached to the E1 and E2 interfaces
Router(config)# access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23
Router(config)# access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23
Router(config)# access-list 110 permit ip any any
Router(config)# interface Ethernet 1
Router(config-if)# ip access-group 110 out
Router(config-if)# interface Ethernet 2
Router(config-if)# ip access-group 110 out
Branch Office
|
(X) Lab_A:
F0/0 ------------- [=] ---- [_] Host A 192.168.177.1, [_] Host B 192.168.177.2, [_] Host z 192.168.177.3
F0/1 ------------- [=] ---- [|] Finance 172.22.89.26, [|] DNS, [|] WEB
Allow HTTP access to the Finance server from source Host B only.
All other traffic will be permitted.
Lab_A# config t
Lab_A(config)# access-list 110 permit tcp host 192.168.177.2 host 172.22.89.26 eq 80
Lab_A(config)# access-list 110 deny tcp any host 172.22.89.26 eq 80
Lab_A(config)# access-list 110 permit ip any any
Lab_A(config)# interface fastethernet 0/1
Lab_A(config-if)# ip access-group 110 out
Lab_A# config t
Lab_A(config)# ip access-list ?
extended Extended Access List
log-update Control access list log updates
logging Control access list logging
resequence Resequence Access List
standard Standard Access List
Lab_A(config)#ip access-list standard ?
<1-99> Standard IP access-list number
<1300-1999> Standard IP access-list number (expanded range)
WORD Access-list name
Lab_A(config)#ip access-list standard BlockSales
Lab_A(config-std-nacl)# ?
Standard Access List configuration commands:
default Set a command to its defaults
deny Specify packets to reject
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
Lab_A(config-std-nacl)# deny 172.16.40.0 0.0.0.255
Lab_A(config-std-nacl)# permit any
Lab_A(config-std-nac# exit
Lab_A# sh running-config | begin ip access
ip access-list standard BlockSales
deny 172.16.40.0 0.0.0.255
permit any
!
Lab_A(config)# int fa0/1
Lab_A(config-if)# ip access-group BlockSales out
Lab_A# config t
Lab_A(config)# ip access-list extended 110
Lab_A(config-ext-nacl)# permit tcp host 192.168.177.2 host 172.22.89.26 eq 80
Lab_A(config-ext-nacl)# deny tcp any host 172.22.89.26 eq 80
Lab_A(config-ext-nacl)# permit ip any any
Lab_A(config-ext-nacl)# int fa0/1
Lab_A(config-if)# ip access-group 110 out
R2#config t
R2(config)#access-list 110 remark Permit Bob from Sales Only To Finance
R2(config)#access-list 110 permit ip host 172.16.40.1 172.16.50.0 0.0.0.255
R2(config)#access-list 110 deny ip 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255
R2(config)#ip access-list extended No_Telnet
R2(config-ext-nacl)#remark Deny all of Sales from Telnetting to Marketing
R2(config-ext-nacl)#deny tcp 172.16.40.0 0.0.0.255 172.16.60.0 0.0.0.255 eq 23
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#do show run
[output cut]
!
ip access-list extended No_Telnet
remark Stop all of Sales from Telnetting to Marketing
deny tcp 172.16.40.0 0.0.0.255 172.16.60.0 0.0.0.255 eq telnet
permit ip any any
!
access-list 110 remark Permit Bob from Sales Only To Finance
access-list 110 permit ip host 172.16.40.1 172.16.50.0 0.0.0.255
access-list 110 deny ip 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255
acc