Configuring cisco contextual access lists. Configuring, Applying, and Validating an Extended Named ACL
Theoretical part.
An access control list ACL is a sequential list of rules that are used to allow or deny the flow of packets within a network based on the information contained within the list. Without an access list, all packets within a network are allowed without restrictions to all parts of the network. The access list can be used to control the distribution and obtain information about changes in route tables and, most importantly, to ensure security. The security policy in particular includes protection from external attacks, access restrictions between departments of the organization and network load distribution.
The access list allows you to use the router as firewall, firewall, to deny or restrict access to internal network from external network, for example, the Internet. A firewall is typically placed at the connection points between two networks.
Standard ACL
When using standard ACLs, the only criterion for determining whether a packet is allowed or denied is the source IP address of that packet. The access list element format is as follows
Router(config)# access-list No. permit | deny source-address source-mask,
where № is an integer – the access list number, source-address is the address of the packet source, source-mask is a mask in inverse form applied to the address, permit is to allow the passage of the packet, deny is to deny the passage of the packet. The number No. determines whether an access list element belongs to a specific access list with the number No. The first access-list command specifies the first element of the access list, the second command specifies the second element of the access list, and so on. The router processes each access list it defines element by element from top to bottom. That is, if the source-address of the packet, taking into account the mask, satisfies the condition of the list element, then the router does not process further elements of the list. Therefore, to avoid unnecessary processing, elements defining more general conditions should be placed at the beginning of the list. Multiple access lists can be defined within a router. The standard list number must be in the range 1 – 99. The mask in the access list is specified in inverse form, for example, the mask 255.255.0.0 looks like 0.0.255.255.
Cisco routers assume that all addresses not explicitly listed in the access list are denied. That is, there is an invisible element at the end of the access list
Router(config)# access-list # deny 0.0.0.0 255.255.255.255
So, if we want to allow only traffic from address 1.1.1.1 and deny all other traffic, just place one element in the access list
Router(config)# access-list 77 permit 1.1.1.1 0.0.0.0.
Here we assume that we have organized an access list with number 77.
Let's consider the possibility of using standard access lists for a range of addresses. Let's take for example the range 10.3.16.0 – 10.3.31.255. To obtain the inverse mask, you can subtract the junior address from the high address and get 0.0.15.255. Then an example of a list element can be specified with the command
Router(config)# access-list 100 permit 10.3.16.0 0.0.15.255
In order for an access list to start doing its job, it must be applied to the interface using the command
Router(config-if)# ip access-group access-list-number in or out
The access list can be used either as an input (in) or as an output (out). When you use an access list as an input, the router receives the input packet and checks its input address against the elements of the list. A router allows a packet to be routed to the destination interface if the packet matches the allow list elements, or discards the packet if it matches the deny list elements. If you use an output access list, the router receives the input packet, routes it to the destination interface, and only then processes the input address of the packet according to the access list elements of that interface. Next, the router either allows the packet to leave the interface or discards it according to the allowing and denying elements of the list, respectively. Thus, the previously created list with number 77 is applied to the Ethernet 0 interface of the router as an input list with the commands
Router(config)# int Ethernet 0
Router(config-if)# ip access-group 77 in
This same list is applied to the router's Ethernet 0 interface as an output list using the commands
Router(config-if)# ip access-group 77 out
Cancel the list on the interface using the command no
Router(config-if)# no ip access-group 77 out
Let's start creating more complex access lists. Consider the network in Figure 1. Let's allow all packets coming from network 10.1.1.0 /25 (10.1.1.0 255.255.255.128), but deny all packets coming from network 10.1.1.128 /25 (10.1.1.128 255.255.255.128). We also want to deny all packets originating from the 15.1.1.0 /24 network (15.1.1.0 255.255.255.0), except packets from a single host at 15.1.1.5. We allow all other packages. Let's give the list number 2. The sequence of commands to complete the task will be as follows
Router(config)#
Router(config)# access-list 2 permit 15.1.1.5 0.0.0.0
Router(config)#
Router(config)#
Note the absence of an enabling element for the network 10.1.1.0 255.255.255.128. Its role is played by the last element access-list 2 permit 0.0.0.0 255.255.255.255.
Let's make sure we complete the task.
1. Allow all packets originating from network 10.1.1.0 255.255.255.128.
The last line in the access list satisfies this criterion. There is no need to explicitly allow this network in our access list since there are no lines in the list corresponding to this network except for the last permit line permit 0.0.0.0 255.255.255.255.
The first line in the list fulfills this criterion. It is important to note the type of inverse mask 0.0.0.127 for this network. This mask specifies that we should not take into account the last seven bits of the fourth octet of the address, which are assigned to addressing in this subnet. The mask for this network is 255.255.255.128, which says that the last seven bits of the fourth octet define the addressing on this network.
3. Deny all packets originating from the network 15.1.1.0 255.255.255.0, with the exception of packets from a single host with the address 15.1.1.5
Figure 9.1.
This requirement is satisfied by the second and third lines of our access list. It is important to note that the access list does not implement this requirement in the order it is defined. It is important to remember that the access list is processed from top to bottom and when the first match is found, packet processing stops. We first require that all packets originating from the network 15.1.1.0 255.255.255.0 be denied and only then packets from the address 15.1.1.5 be allowed. If we rearrange the second and third commands in the commands defining the access list, then the entire network 15.1.1.0 will be denied until host 15.1.1.5 is allowed. That is, the address 15.1.1.5 will be immediately denied at the beginning by the more general criterion deny 15.1.1.0 0.0.0.255.
4. Allow all other packages
The last command resolves all addresses that do not match the first three commands.
Thus, we have the following sequence of actions to implement an access list.
1. Define access criteria and restrictions.
2. Implement them using the access-list commands, creating an access list with a specific number.
3. Apply the list to a specific interface either as inbound or outbound.
Let's focus on the last point. In general, a standard access list should be placed as close as possible to the destination rather than the source of the packets. Although there may be exceptions. Since a standard access list only works with source addresses, detailed configuration is not always possible. Effort is required to avoid unwanted access configurations. If the list is placed close to the source of the packages, then it is very likely that access to devices on which no access configuration is carried out will be difficult.
Let's specify the security policy for the network in Figure 1. Our goal is to create a policy for computer A (address 1.1.1.2 network 1.1.1.0/24), which from all devices of the local network 15.1.1.0 /24 which includes computer C (15.1.1.5) will allow access to computer A only by computer C itself. We also want to create a policy that prohibits remote access to computer A from any device on the local network 10.1.1.128 / 25 of computer D (10.1.1.133). We allow all other traffic. In Figure 1, computer PC5 (15.1.1.5) plays the role of an arbitrary representative of the local network 15.1.1.0/24, different from computer C.
Listing is critical to implementing such a policy. Let's take the previously created list with number 2. If we make the list a holiday on serial interface router 2, then the task for computer A will be completed, but there will be restrictions on traffic between other local networks. We get a similar situation if we make this list an input on the serial interface of router 1. If we place this list as an output on the Ethernet A interface of router 1, then the task will be completed without any side effects.
Extended ACLs
With a standard ACL, you can only specify the source address, and the mask is optional. In extended ACLs, you must specify both the destination address and the source address with masks. You can add additional protocol information for the source and destination. For example, TCP and UDP are allowed to specify a port number, and ICMP is allowed to specify a message type. As with standard ACLs, you can use the log option to log.
General command form for generating an access list string
access-list access-list-number (permit | deny) protocol source source-wildcard destination destination-wildcard ,
where access-list-number -100-199|2000-2699, protocol - ip, icmp, tcp, gre, udp, igrp, eigrp, igmp, ipinip, nos and ospf. For a source-port or destination-port, you can use the port number or its designation bgp, chargen, daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp, pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois and www. Operator is eq (equal), neq (not equal), gt (greater than), lt (less than), range (two ports are specified to determine the range).
As with standard ACLs, an extended ACL should be bound to an interface or for traffic incoming to the interface
Router(config-if)# ip access-group №ACL in
or for traffic leaving the interface
Router(config-if)# ip access-group №ACL out
here #ACL is the list number.
Examples of extended ACL elements
Allow SMTP from everywhere to host
Router(config)# access-list 111 permit tcp any host 172.17.11.19 eq 25
Allow telnet from anywhere to host
Router(config)# access-list 111 permit tcp any host 172.17.11.19 eq 23
An extended ACL allows you to fine-tune access rights.
Named ACLs
Named ACLs are referred to by name rather than by number, which makes them clearer and easier to use. To create a named ACL there is a command
Router(config)# ip access-list extended ACL_name
Router(config-ext-nacl)# permit|deny IP_protocol source_IP_address wildcard_mask destination_IP_address wildcard_mask
To complete the creation of the list, issue the exit command.
The named list name is case sensitive. The commands for creating an unnamed list are similar to the commands for creating numbered list items, but the creation process is different. You must use the ip keyword before the main ACL statement and thereby enter configuration mode for that named list. In this mode you start with keywords permit or deny and should not enter access-list at the beginning of each line.
Binding named ACLs to an interface is done with the command
Router(config)# interface type port_№
Router(config-if)# ip access-group ACL_name in|out
ACLs are processed from top to bottom. The most frequently repeated traffic should be processed at the top of the list. As soon as a packet being processed by the list matches an element of the list, processing of that packet stops. Standard ACLs should be placed closer to the destination where the traffic needs to be filtered. Output extended ACLs should be placed as close as possible to the source of the packets being filtered, and ingress ACLs should be placed closer to the destination where the traffic should be filtered.
Named ACLs allow you to edit themselves. To do this, you need to type the command that was used to create it
Router(config)# ip access-list extended ACL_name
Use the vertical arrow keys to find the list line you want to change. Change it using the horizontal arrows. Press enter. New line will be added to the end of the list. The old one will not be destroyed. To destroy it, enter no at the beginning of the line.
To edit numeric ACLs, you must destroy it and create it again, or edit the list offline and load it into the device using.
Practical part.
1. Let's load the topology shown in Figure 2 into the simulator.
Figure 9.2.
Let's assign addresses to the interfaces (mask 255.255.255.240) according to the table. Don't forget on your DCE device serial connection set synchronization.
| Router2 | Router1 | Router4 | |
| Ethernet | 24.17.2.2 | 24.17.2.1 | |
| Serial | 24.17.2.17 | 24.17.2.18 |
Let's carry out the configuration RIP routing
Router1(config)# router rip
Router1(config- router)# version 2
Router1(config- router)# network 24.0.0.0
Router2(config)# router rip
Router1(config- router)# version 2
Router2(config- router)# network 24.0.0.0
Router4(config)# router rip
Router1(config- router)# version 2
Router4(config- router)# network 24.0.0.0
Check your network with ping commands and in particular that you can ping Ethernet0 interface (24.17.2.2) of Router 2 from Router 4
Router4# ping 24.17.2.2
Let's create a standard access list that will not allow router 2 to ping from router 4. To do this, we block the only address 24.17.2.18 of router 4 and allow the rest of the traffic. We will create the list on the router using 2 commands
Router2(config)# access-list 1 deny 24.17.2.18 0.0.0.0
Router2(config)# access-list 1 permit 0.0.0.0 255.255.255.255
Router2(config)# interface FastEthernet0/0
Router2(config-if)# ip access-group 1 in
Let's check that the access list is running. To do this, let's look at the working configuration
Router2# show running-config
We can also see the list applied to an interface using the “show ip interface” command. Find the line “Innbound access list is 1” in the output information.
Router2# show ip interface
The “show access-lists” command will show us the contents of the created access list.
Router2# show access-lists
Note that host 24.17.2.18 is equivalent to 24.17.2.18 0.0.0.0. Now, when trying to ping the Ethernet0 interface (24.17.2.2) of router 2 from router 4
Router4# ping 24.17.2.2
We get the string “UUUUU”, which means that the access list is working correctly.
- Let's create and load the topology in Figure 2 into the simulator.
Figure 9.3.
Assign addresses to the interfaces (mask 255.255.255.0) according to the table
| Router2 | Router1 | Router3 | Router4 | |
| Ethernet 0 | 160.10.1.2 | 160.10.1.1 | 175.10.1.2 | 180.10.1.2 |
| Ethernet 1 | 175.10.1.1 | 180.10.1.1 |
Let's configure OSPF routing
Router1(config)# router ospf 1
Router1(config- router)#
Router1(config- router)#
Router2(config)# router ospf 1
Router2(config- router)# network 160.10.1.0 0.0.0.255 area 0
Router3(config) # router ospf 1
Router3(config- router)# network 175.10.1.0 0.0.0.255 area 0
Router3(config- router)#
Router4(config)# router ospf 1
Router4(config- router)# network 180.10.1.0 0.0.0.255 area 0
To check, ping the extreme points
router2#ping 180.10.1.2
router4#ping 160.10.1.2
Let's create a standard access list to filter traffic coming to the ethernet0 interface of the 1st router1 and allow traffic from the 175.10.1.0 subnet (router3) and block traffic from other devices.
router1(config)# access-list 1 permit 175.10.1.0 0.0.0.255
Check that it has been created
router1# show access-list
router1(config)# interface FastEthernet1/0
router1(config-if)# ip access-group 1 in
router1# show running-config
Check the connection between routers 3 and 2 and between routers 4 and 2.
router3# ping 160.10.1.2
router4# ping 160.10.1.2
There should be a connection between routers 3 and 2, but not between routers 4 and 2.
Let's change the access list and allow traffic from the 180.10.1.0 subnet (router4) and block traffic from other devices.
router1(config)# no access-list 2
router1(config)# access-list 2 permit 180.10.1.0 0.0.0.255
Check that it has changed
router1# show access-list
Attach the list as input to Ethernet interface 1
router1(config)# interface FastEthernet1/0
router1(config-if)# ip access-group 1 in
Check the connection with the command
router1# show running-config
Check the connection between routers 3 and 2 and between routers 4 and 2.
router3# ping 160.10.1.2
router4# ping 160.10.1.2
There should be a connection between routers 4 and 2, but not between routers 3 and 2.
3. Implement and verify the IP configuration for the network in Figure 1 and use OSPF to implement dynamic routing.
For router 1
router1(config)# router ospf 1
router1(config-router)#
router1(config-router)# network 1.1.1.0 0.0.0.255 area 0
router1(config-router)# network 10.1.1.0 0.0.0.127 area 0
For router 2
Router2(config)# router ospf 1
Router2(config-router)# network 10.1.1.128 0.0.0.127 area 0
Router2(config-router)# network 15.1.1.0 0.0.0.255 area 0
Router2(config-router)# network 2.2.2.0 0.0.0.255 area 0
Check the network functionality: you must ping any interface from any device. Or simpler: all computers A, B, C, D, PC5 must ping each other in pairs.
Let's create an access list from the theoretical part
3.1 On router 1 create an access list
router1(config)# access-list 2 deny 10.1.1.128 0.0.0.127
router1(config)# access-list 2 permit host 15.1.1.5
router1(config)# access-list 2 deny 15.1.1.0 0.0.0.255
router1(config)# access-list 2 permit 0.0.0.0 255.255.255.255
and apply it to the Ethernet0 interface as an output
router1(config)# interface FastEthernet0/0
router1(config-if)# ip access-group 2 out
Create a screenshot of the command execution result
router1# show access-list
| From\To | A | B | C | E | D |
| A | + | + | + | - | - |
| B | + | + | + | + | + |
| C | + | + | + | + | + |
| E | - | + | + | + | + |
| D | - | + | + | + | + |
Table 1
We see that the security policy from the theoretical part has been fully implemented.
3.2 Remove the ACL from interface e0 and apply it as input to interface s0
router1(config)# interface fa0/0
router1(config-if)# no ip access-group 2 out
router1(config-if)# int s2/0
router1(config-if)# ip access-group 2 in
We ping A, B, C, PC5, D in pairs. The result should be the following access matrix
| From\To | A | B | C | E | D |
| A | + | + | + | - | - |
| B | + | + | + | - | - |
| C | + | + | + | + | + |
| E | - | - | + | + | + |
| D | - | - | + | + | + |
table 2
We see that now traffic between networks 10.1.1.0/25 and 10.1.1.128/25 is prohibited. Traffic is also not possible between network 10.1.1.0/25 and network 15.1.1.0/24, with the exception of computer C with address 15.1.1.5.
4. We use the topology and configuration of point 1 of this laboratory work
Cancel the access configuration made in step 1
Router2(config)# no access-list 1 deny 24.17.2.18 0.0.0.0
Router2(config)# no access-list 1 permit 0.0.0.0 255.255.255.255
Let's apply the list to the Ethernet interface of router 2
Router2(config)# interface fa0/0
Router2(config-if)# no ip access-group 1 in
Let's allow telnet access to router1 on its two interfaces with the password router1
Router1(config)# line vty 0 4
Router1(config-line)# login
Router1(config-line)# password router1
Our EACLs will do a couple of different things. First, we will only allow telnet from the serial connection subnet 24.17.2.16/240 to log into router1
router1(conf)# access-list 101 permit tcp 24.17.2.16 0.0.0.15 any eq telnet log
The log option will cause the router to show an output when the access list is triggered.
Let's allow all traffic from Ethernet 0 subnet 24.17.2.0/240 on router1
router1(conf)# access-list 102 permit ip 24.17.2.0 0.0.0.15 any
Let's check the installation of lists
router1#show access-list
Now let's apply the lists to the interfaces for incoming packets
router1(conf)# interface Serial2/0
router1(conf-if)# ip access-group 101 in
router1(conf-if)# interface fa0/0
router1(conf-if)# ip access-group 102 in
To check that EACLs are present on interfaces, use the command
router1# show running-config
router1# show ip interface
Let's check the functioning of EACL. Let's join router4 and try unsuccessfully to ping the Serial2/0 interface on router1
router4# ping 24.17.2.17
EACL number 101 blocked ping. But must allow telnet
router4# telnet 24.17.2.17
Successfully. Let's enter the password router1. The router4# prompt has changed to router1>. By simultaneously pressing ctrl-shift-6 and then 6, we will return to router4. The log will indicate to us that EACL 101 is triggered on router1
Let's look at the session number and kill the telnet connection
router4# show session
router4# disconnect 1
Let's join router2 and see if we can ping the Serial0 interface on router4.
Router2# ping 24.17.2.18
Why was it unsuccessful? The packet starts in Router2, goes through Router1 (the log will indicate to us that EACL 102 is triggered on router1
) and comes to Router4. On Router4 it is reformatted and sent back to Router1. When Router4 reformats the packet, the source address becomes the destination address and the destination address becomes the source address. When a packet arrives on the Serial0 interface on router1, it is rejected, since its source address is equal to the IP address of the Serial0 interface on router4 24.17.2.17, and here only tcp is allowed.
Let's join router2 and see if we can ping the Ethernet0 interface to router1.
router2# ping 24.17.2.1
Successfully. Same for telnet
router2# telnet 24.17.2.1
EACLs are working successfully. The log will indicate to us that EACL 102 is triggered on router1.
Note that the log also constantly shows RIP updates
5. Named ACLs
Let's cancel the EACL binding to interfaces on router1
router1(conf)# interface Serial0
router1(conf-if)# no ip access-group 101 in
router1(conf-if)# interface Ethernet0
router1(conf-if)# no ip access-group 102 in
and cancel EACL on router1
router1(conf)# no access-list 101
router1(conf)# no access-list 102
Let's set the task to prohibit only pings from router4 to router2 throughout the network. The access list can be located on both router1 and router2. Although it is recommended to place the ACL closer to the source (to reduce traffic), in this example we will place a named list called deny_ping on router2.
router2(config)# ip access-list extended deny_ping
router2(config-ext-nacl)# deny icmp 24.17.2.18 0.0.0.0 24.17.2.2 0.0.0.0 log
router2(config-ext-nacl)# permit ip any any log
The first command specifies that we are creating a named extended access list called deny_ping. The second command specifies the prohibition of ICMP traffic with a source address strictly 24.17.2.18 and a destination address strictly 24.17.2.2. The third command allows the remaining IP traffic.
Let's check the creation of the list
router2# show access-list
Everything is correct, we see in the first line just another form of the command deny icmp 24.17.2.18 0.0.0.0 24.17.2.2 0.0.0.0 log.
Let's apply the list to the input traffic of the Ethernet0 interface on router2
Router2(conf)# interface Ethernet0
Router2(conf-if)# ip access-group deny_ping in
Let's join router4 and ping router2
router4# ping 24.17.2.2
Failure. Let's join router1 and ping router2
Router1# ping 24.17.2.2
Success. Let's join router2 and look at two separate log messages: the first about denying ping from router4 and the second about allowing ping from router1
6. Let's consider more difficult questions extended access lists. Let's create a topology
.
Figure 9.4.
Use 1912 switches. Router1 is 805 models. Router2 is 1605 models.
Assign IP addresses to routers
We configure RIP on Router1 and Router2
Router(config)# router rip
Router(config-router)# network 1.0.0.0
The interfaces of all devices must be pingable from all devices.
6.1. Network-to-site access list.
Let's create a list that allows traffic from the local network of computers PC4 and PC5 to the local network of computer PC1 and prohibits traffic from the local network of computers PC2 and PC3 to the local network of computer PC1. Since traffic comes from router2 to router1, an access list should be placed on the serial2/0 interface of router1 for incoming traffic
Router1(conf)# access-list 100 permit ip 1.1.1.0 0.0.0.127 1.1.3.0 0.0.0.255 log
Router1(conf)# access-list 100 permit ip 1.1.2.0 0.0.0.255 any log
The first command directly solves the problem, and the second allows broadcasting RIP protocols. Let's check the creation
Router1# show access-list
Let's apply the access list to the interface.
Router1(conf)# interface Serial2/0
Router1(conf-if)# ip access-group 100 in
To test the access list, try to ping PC1 from PC2, PC3, PC4 and PC5.
PC# Ping 1.1.3.2
For PC2 and PC3 there will be no pings. For PC4 and PC5 pings will work. The access list works. Look at the logs on router1
6.2. Host-to-host access list.
Let's create an access list on router2 that blocks access to PC5 only from PC2. You can control access attempts using the logs on router2.
Router2(conf)# access-list 101 deny ip 1.1.1.130 0.0.0.0 1.1.1.3 0.0.0.0 log
Router2(conf)# access-list 101 permit ip any any
Let's check the creation
Router2# show access-list
Let's apply the access list to fast Ethernet interface router2
Router2(conf)# interface FastEthernet0/0
Router2(conf-if)# ip access-group 101 in
Join PC2 and check that you can't pin PC5
PC2# Ping 1.1.1.3
A log will appear on router2
Join PC3 and check that you can pin PC5.
PC3# Ping 1.1.1.3
A log will appear on router2
6.3. Host-network access list.
First, let's remove previous access lists from the Router1 and Router2 interfaces.
Router1(conf)# interface Serial2/0
Router1(conf-if)# no ip access-group 100 in
Router2(conf)# interface FastEthernet0/0
Router2(conf-if)# no ip access-group 101 in
Let's create an extended access list that blocks all traffic to PC1 from the local network of computers PC2 and PC3. Since we are blocking all traffic, we will use the IP protocol.
Router2(conf)#access-list 102 deny ip 1.1.1.128 0.0.0.127 1.1.3.2 0.0.0.0 log
Router2(conf)#access-list 102 permit ip any any
Let's check the creation
Router2# show access-list
Apply the list to outgoing traffic on the Serial2/0 Router2 interface
Router2(conf)# interface Serial2/0
Router2(conf-if)# ip access-group 102 out
To check the list, try to ping PC1 (1.1.3.2) from PC2 and PC3. Pings will not go through. For some reason the simulator does not provide a log on the Router2 console. But you can see the effect like this
You see after each unsuccessful ping the number of matched packets increases.
1. What is an ACL?
2. Which address is the criterion for allowing/denying a packet?
3. Where are ACLs used?
4. How to set an ACL element and what is an inverse mask?
5. How does the router handle ACL elements?
6. Which element is always implicit in an ACL?
7. How to apply an ACL to an interface and then cancel it?
8. What is the difference between an input ACL and an output ACL?
10. What three commands can you use to check the contents of the ACL and the binding to the interface.
11. What do extended ACLs filter?
12. What additional functionality do extended ACLs have over standard ACLs?
13. Is it possible to restrict traffic to a specific TCP/IP service using extended ACLs?
14. Describe the procedure for creating a named ACL.
15. How to edit a specific line in a numeric ACL?
16. How to edit a specific line in a named ACL?
17. What is the difference between the command formats for entering numeric and named ACL elements?
Related information.
Let's look at creating and using access lists ( access lists) using the example of a diagram for connecting a small office to the Internet using a router Cisco 881. The commands for configuring other series routers (1841, 2800, 3825...) or layer 3 switches (3500, 4800 series...) will be similar. Differences can only be in the interface settings.
We have at our disposal:
Task: restrict connections passing through the router.
Access lists ( access lists) are not in themselves any rules restricting access. These lines only indicate specific traffic. Their effect appears when a link to the corresponding access list is specified in the settings of a certain router function.
The logic of the device is that first we show the router the traffic that is interesting to us, and then we indicate what the router should do with it. For example, in one case, the access list will indicate the address from which remote access to the router is possible using the protocol SSH, and the other will indicate the route that will be distributed using the dynamic routing protocol.
Restricting remote access to the router
Example access list, which is used to limit remote access to the router console only from certain ip addresses. In our case, the address workstation administrator.
Creating an access list ACL_REMOTE_ACCESS
R-DELTACONFIG(config)#
ip access-list standard ACL_REMOTE_ACCESS
permit ip host 192.168.0.100
We tie access list to restrict access to remote control router only from the address 192.168.0.100
R-DELTACONFIG(config)#
line vty 0 4
access-class ACL_REMOTE_ACCESS in
Important!
Be careful and check everything carefully before use. The error can be corrected only connecting or resetting the router to factory settings.
Internet access restriction
To restrict access from the office local network to the Internet, you need an appropriate access list, as well as binding it to one of the router interfaces.
Let’s say that you need to restrict users’ access to the Internet as follows:
Create the following access list ACL_INSIDE_IN and sequentially introduce access rules:
R-DELTACONFIG(config)#
ip access-list extended ACL_INSIDE_IN
access DNS servers on the Internet
permit udp host 192.168.0.201 any eq 53
permit tcp host 192.168.0.201 any eq 53
access Proxy servers on the Internet
permit tcp host 192.168.0.202 any eq 80
permit tcp host 192.168.0.202 any eq 443
full administrator access
permit ip host 192.168.0.100 any
permission Ping for the entire local network
permit icmp 192.168.0.0 0.0.0.255 any
prohibition of other connections
deny ip any any log
Important!
Pay attention to how the rule line for the protocol is written ICMP (Ping). In access lists on routers Cisco the subnet mask is written in reverse: not 255.255.255.0, but 0.0.0.255
Then we bind the access list to the internal interface Vlan 1 in the direction “inside the router” (parameter in). Actually, the binding direction is always considered relative to the device Cisco. For convenience, the interface and direction of traffic are indicated in the name of the access list itself: ACL_INSIDE_IN— filter for traffic entering the internal interface.
R-DELTACONFIG(config)#
interface Vlan 1
ip access-group ACL_INSIDE_IN in
From this moment on, access to the outside will be carried out in accordance with the applied access list, provided that address translation is configured correctly ( NAT). How this is done is described in about setting up Internet access using a Cisco router.
Checking the operation of the access list
You can check the operation of the access list by looking at the statistics of rule activations. After binding the access list ACL_INSIDE_IN to the interface Vlan 1 run Ping from any of the network workstations to any Internet address (for example, to www.yandex.ru), and then execute from privileged mode (sign #
next to the device name) command show access-lists. The result should show the number of times each access list line was hit:
sh access-lists
Extended IP access list ACL_INSIDE_IN
…
60 permit icmp any any (4 estimate matches)
70 deny ip any any log
Important aspects of using access lists ( access list)
- The access list consists of strings - rules that show specific traffic
- An access list associated with an interface restricts the packets that can pass through that interface.
- An access list can be bound to an interface in one of the directions: inbound or outbound.
- Access lists can either indicate only the connection source (standard, example of restricting access by SSH) or the source and destination of the connection (extended, example of restricting Internet access).
- More than one access list cannot be bound to the same interface in the same direction. All necessary rules must be specified in only one bound access list.
Restricting access from the Internet
Creating an access list ACL_OUTSIDE_IN For external interface. It only indicates that the external interface should respond to ping, and reject all other requests.
R-DELTACONFIG(config)#
permit icmp any interface //permit Ping
deny ip any any log //prohibition of other connections
We bind the access list to the external interface.
R-DELTACONFIG(config)#
interface FastEthernet 4
ip access-group ACL_OUTSIDE_IN in
Important!
Any new rules that will be required for access from inside or outside should be added to the appropriate access lists BEFORE lines
deny ip any any log
If some line with permission appears in the list after the prohibiting line, then it will not in any way affect the traffic, since the router processes the lines access list sequentially until the first match.
For change access list It’s convenient to go into the access list itself, add all the necessary permissions, and then delete last line (deny ip any any log) and immediately add it. Following this simple rule, the prohibiting line will always be at the very end of the list, and all rules will be in the order of addition from bottom to top. For clarity, let’s allow access to the router from outside via the http protocol (TCP port 80)
R-DELTACONFIG(config)#
ip access-list extended ACL_OUTSIDE_IN
permit tcp any interface eq 80
no deny ip any any log
deny ip any any log
Allowing return traffic
After binding the access list ACL_OUTSIDE_IN all access from the local network to all resources via any protocols except Ping. This is due to the fact that traffic filtering rules are also applied on the internal ( ACL_INSIDE_IN) and on the external ( ACL_OUTSIDE_IN) interfaces.
In order for all return packets to requests from the local network to pass through, we specify the protocols for the function Inspect.
R-DELTACONFIG(config)#
ip inspect name Internet http
ip inspect name Internet https
ip inspect name Internet dns
ip inspect name Internet icmp
We bind the inspection rule to external interface.
R-DELTACONFIG(config)#
interface FastEthernet 4
ip inspect Internet out
The list of services permitted for inspection may be expanded in the future.
I hope that the article will help you better understand how access lists work. Unfortunately this is enough simple topic very difficult to describe in simple language. If you have any questions or any point remains unclear, please write to me at [email protected] or leave your question in the comments.
Let's create a named ACL list and write rules for it:
ip access-list extended HTTP_ONLY – create a list.
permittcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eqwww – configure www traffic filtering.
permiticmp 172.22.34.96 0.0.0.15 host 172.22.34.62 – allow the transmission of ICMP traffic from PC2 to the Server.
interfacegigabitEthernet 0/1
ipaccess-groupHTTP_ONLYin – placement of the list on the interface.
To check the operation of the applied list, we send an echo request from PC2 to the Server server (Figure 4.4). Next, an unsuccessful FTP connection is made from PC2 to the Server server (Figure 4.4). Next, you need to open a web browser on PC2 and enter the Server IP address as a URL. The connection should be successful (Figure 4.5).
Figure 4.4 – Echo request and FTP connection to the server from PC2
Figure 4.5 – Connecting to the server via a web browser
5 Configuring extended ACLs. Scenario 2
In this scenario, devices in one LAN networks Allows remote access to devices on another LAN via the Telnet protocol. With the exception of ICMP, all traffic from other networks is prohibited. The network diagram is shown in Figure 5.1.
Figure 5.1 – Network diagram
We configure an extended numbered ACL with the following commands:
accesslist 199 permittcp 10.101.117.32 0.0.0.15 10.101.117.0 0.0.0.31 eqtelnet – traffic via the Telnet protocol on the network 10.101.117.32/28 is allowed for transmission to devices on networks 10.100.117.0/27.
access-list 199 permiticmpanyany – ICMP traffic is allowed from any device and in any direction.
All other traffic is prohibited by default.
interface gigabitethernet0/2
ipaccess-group 199 out – placement of the list on the interface.
To test the operation of the extended list, you first need to send ping requests from the PCB computer to all other IP addresses on the network (Figure 5.2). Next, echo requests are sent from the PCA computer to all other IP addresses on the network (Figure 5.3).
Figure 5.2–Echo request from RSV
Figure 5.3 – Echo request from RSA
6 Configuring extended ACLs. Scenario 3
In this scenario specific devices The LAN network allows access to several services from servers located on the Internet. The network used is shown in Figure 6.1.
Figure 6.1 – Network diagram
You must use a single named ACL to implement the following rules:
1 Deny access via HTTP and HTTPS protocols from PC1 to Server1 and Server2. These servers are located inside the cloud, only their IP addresses are known.
2Block FTP access from PC2 to Server1 and Server2.
3Block ICMP access from PC3 to Server1 and Server2.
The extended named ACL was configured using the following commands:
ip access-list extended ACL – create a list.
denytcphost 172.31.1.101 host 64.101.255.254 eqwww – rule that denies access from PC1 to Server1, for HTTP only.
denytcphost 172.31.1.101 host 64.101.255.254 eq 443 – rule that denies access from PC1 to Server1, only for HTTPS.
denytcphost 172.31.1.101 host 64.103.255.254 eqwww – rule that denies access from PC1 to Server2, for HTTP only.
denytcphost 172.31.1.101 host 64.103.255.254 eq 443 – rule that denies access from PC1 to Server2, only for HTTPS.
denytcphost 172.31.1.102 host 64.101.255.254 eqftp – a rule that denies access from PC2 to Server1, for FTP only.
denytcphost 172.31.1.102 host 64.103.255.254 eqftp – rule that denies access from PC2 to Server2, for FTP only.
denyicmhost 172.31.1.103 host 64.101.255.254 – rule that denies ICMP access from PC3 to Server1.
denyicmhost 172.31.1.103 host 64.103.255.254 – rule that denies ICMP access from PC3 to Server2.
allowipanyany – allows other IP traffic.
interfacegigabitEthernet 0/0
ipaccess-groupACLin – application of the ACL list on the corresponding interface and direction.
Checking the extended ACL is as follows: checking access to websites on servers Server1 and Server2 using the web browser PC1, as well as HTTP and HTTPS protocols (Figure 6.2), checking FTP access to servers Server1 and Server2 from computer PC1 (Figure 6.3), echo requests are made to Server1 and Server2 from PC1 (Figure 6.4). RS2 and RS3 are checked in the same way. Successful access to websites on servers from PC2 and PC3 is shown in Figure 6.5. Unsuccessful FTP access to servers from PC2 is shown in Figure 6.6. Failed pings from PC3 to servers are shown in Figure 6.7.
Figure 6.2 – Checking access via HTTP and HTTPS
Figure 6.3 - FTP access to Server1 and Server2 from PC1
Figure 6.4 - Pings to Server1 and Server2 from PC1
Figure 6.5 - Successful access to websites on servers from PC2 and PC3
Figure 6.6 - Unsuccessful FTP access to servers from PC2
Figure 6.7 - Failed echo requests from PC3 to servers
7 Development of complex practical skills
This advanced task requires you to complete the addressing scheme, configure routing, and apply named access control lists. The diagram of the network used is shown in Figure 7.1.
Figure 7.1 – Network diagram
During the laboratory work, the following requirements were met:
1 Network 172.16.128.0/19 is divided into two equal subnets for use in the Branch router. The last usable address of the second subnet is assigned to interface GigabitEthernet 0/0. The last usable address of the first subnet is assigned to interface GigabitEthernet 0/1. The documented addressing table is in Table 1.
Table 1 – Addressing table
Continuation of Table 1
| Branch | G0/0 | 172.16.159.254 | 255.255.240.0 | Not available |
| G0/1 | 172.16.143.254 | 255.255.240.0 | Not available | |
| S0/0/0 | 192.168.0.2 | 255.255.255.252 | Not available | |
| HQ1 | Network adapter | 172.16.64.1 | 255.255.192.0 | 172.16.127.254 |
| HQ2 | Network adapter | 172.16.0.2 | 255.255.192.0 | 172.16.63.254 |
| HQServer.pka | Network adapter | 172.16.0.1 | 255.255.192.0 | 172.16.63.254 |
| B1 | Network adapter | 172.16.144.1 | 255.255.240.0 | 172.16.159.254 |
| B2 | Network adapter | 172.16.128.2 | 255.255.240.0 | 172.16.143.254 |
| BranchServer.pka | Network adapter | 172.16.128.1 | 255.255.240.0 | 172.16.143.254 |
The assignment of addresses to interfaces is carried out using the command on the Branch router:
interface gigabitEthernet0/0
ip address 172.16.159.254 255.255.240.0
interface gigabitEthernet0/1
ipaddress 172.16.143.254 255.255.240.0
2B1 has the appropriate addressing configured; the first free address of the network to which it is connected was used. The setup is shown in Figure 7.2.
Figure 7.2 – Setting up addressing on B1
3 The Branch router was configured with Enhanced Internal Gateway Routing Protocol (EIGRP) according to the following criteria:
a) all three connected networks are announced;
b) automatic merging is disabled;
c) the appropriate interfaces are configured as passive;
d) aggregated 172.16.128.0/19 on serial interface Serial 0/0/0 with administrative distance 5.
The setup was carried out with the following commands:
network 168.0.0.0 0.0.0.3
network 172.16.128.0 0.0.15.255
network 172.16.144.0 0.0.15.255
passive-interface gigabitethernet0/0
passive-interface gigabitethernet0/1
interface serial0/0/0
ipsummary-addresseigrp 1 172.16.128.0 255.255.224.0 5
4 A default route has been configured on the HQ router, directing traffic to interface S0/0/1. The route to the Branch router has been redistributed. The following commands were used for this:
ip route 0.0.0.0 0.0.0.0 serial0/0/1
redistributestatic
5 HQ local network subnets are combined on the Serial 0/0/0 serial interface with an administrative distance of 5. Commands:
interfaceserial0/0/0
ipsummaryaddresseigrp 1 172.16.0.0 255.255.128.0 5
6 Created a named access list, HQServer, to deny all computers connected to the GigabitEthernet 0/0 interface of the Branch router access to HQServer.pka. All other traffic is allowed. The access list is configured on the appropriate router, assigned to the appropriate interface in the appropriate direction. To do this, use the following commands:
ipaccess-listendedHQServer
denyipanyhost 172.16.0.1
letip any any
interface gigabitethernet0/0
ip access-group HQServer in
7 Created a named BranchServer access list to deny all computers connected to the HQ router's GigabitEthernet 0/0 interface access to the BranchServer's HTTP and HTTPS services. All other traffic is allowed. The access list is configured on the appropriate router and assigned to the appropriate interface in the appropriate direction.
ip access-list extended BranchServer
denytcp any host 172.16.128.1 eq 80
denytcp any host 172.16.128.1 eq 443
letip any any
interface gigabitethernet0/0
ipaccess-groupBranchServerin
For verification, echo requests were sent from B1 to HQServer.pka (unsuccessful, Figure 7.3). Web access to the BranchServer.pka server from HQ1 is also unsuccessful (Figure 7.4).
Figure 7.3 - Echo request from B1 to HQServer.pka
Figure 7.4 - Web access to the BranchServer.pka server from HQ1
©2015-2019 site
All rights belong to their authors. This site does not claim authorship, but provides free use.
Page creation date: 2016-08-20
To provide packet filtering, Cisco routers configure access control lists. This is a set of parameters and filters that allow you to flexibly configure security settings. The system administrator gets the opportunity to choose which incoming and outgoing traffic skip using big number available criteria.
Now we will take a closer look at ACLs and learn how to configure them.
Introduction
So let's imagine that our small local network has been created, and a Cisco router is used as active equipment. A large amount of different traffic passes through it. And the network engineer needs to filter it. This is where access control lists begin.
This is one of the main means of ensuring network security. The idea is to block or prevent access to both traffic to a specific network segment and a user to a specific type of traffic.
ACLs are divided into standard and extended.
Key Features
- Traffic filtering is possible both at the entrance and exit of traffic from the selected interface
- For data that must be allowed, the permit attribute is applied. For those that should be discarded - deny
- Access control lists are configured in such a way that if traffic does not fall under more than one rule specified in the list, it will automatically be denied
The figure below shows the packet filtering logic relative to the location of the ACL on the router.
Thus, when traffic begins to move, the router checks the fields of the packet against the list of rules from the ACL. If they are found, the action configured for this type of packet will be applied - allow or deny. If a match is not found, the traffic will be automatically blocked.
Standard ACLs
The configuration command on Cisco routers has the following syntax.
access-list list-number(deny | permit) sender [inverted sender mask]You can sequentially specify several rules for one ACL, indicating its number in the appropriate place.
note . Standard ACL numbering is available in the ranges 1-99 and 1300-1999.
Thus, the tuning algorithm can be described as follows:
- Determining the location of the ACL - interface and data direction
- In global configuration mode, we specify rules using the access-list command. Use the help "?" to view the available options.
- In the interface configuration mode, we assign the corresponding list to it - ip access-group number (in | out)
Extended ACLs
This type of filtering allows you to check traffic for a large number of parameters. The following criteria are available:
Settings
The general principle has not changed. You need to define the interface and traffic direction, then specify a list of filtering parameters. The list itself is created and configured as follows:
IP access-list access-list-number ] (deny | permit) protocol source source-wildcard destination destination-wildcard ICMP access-list access-list-number ] (deny | permit) icmp source source-wildcard destination destination-wildcard | ] TCP access-list access-list-number ] (deny | permit) tcp source source-wildcard ] destination destination-wildcard ] UDP access-list access-list-number ] (deny | permit) udp source source-wildcard ] destination destination -wildcard ] cisco.com
Video for the article:
Conclusion
Cisco ACLs - powerful tool ensuring security on the network. Use it to filter your traffic. But remember the features. If you specify filtering parameters incorrectly, the “correct” traffic may not reach the recipient.
Why look for information on other sites if everything is collected here?
Today I will tell you how to filter traffic on the network using access control lists. Let's look at how they work, what they are, and what they are intended for. Later I will show how they are configured in Cisco IOS and post an archive with laboratory work to consolidate your knowledge.
Introduction
ACL (Access Control List) is a set of text expressions that allow something or prohibit something. Typically an ACL allows or denies IP packets, but among other things it can look inside an IP packet, view the packet type, TCP and UDP ports. ACLs also exist for various network protocols (IP, IPX, AppleTalk, and so on). Basically, the use of access lists is considered from the point of view of packet filtering, that is, packet filtering is necessary in situations where you have equipment located on the border of the Internet and your private network and you need to filter out unnecessary traffic.You place an ACL on the incoming direction and block unnecessary types of traffic.
Theory
The functionality of an ACL is to classify traffic, you need to check it first, and then do something with it depending on where the ACL is applied. ACL applies everywhere, for example:- On the interface: packet filtering
- On a Telnet line: router access restrictions
- VPN: what traffic needs to be encrypted
- QoS: which traffic should be processed with priority?
- NAT: which addresses to broadcast
A packet arrives from your private network to the router interface fa0/1, the router checks whether there is an ACL on the interface or not, if there is one, then further processing is carried out according to the rules of the access list strictly in the order in which the expressions are written, if the access list allows the packet to pass, then in this case the router sends the packet to the provider via interface fa0/0, if the access list does not allow the packet to pass, the packet is destroyed. If there is no access list, the packet flies through without any restrictions. Before sending the packet to the provider, the router also checks interface fa0/0 for the presence of an outgoing ACL. The point is that an ACL can be attached to an interface as either incoming or outgoing. For example, we have an ACL with a rule to prohibit all nodes on the Internet from sending packets to our network.
So which interface should I attach this ACL to? If we attach an ACL to interface fa0/1 as outgoing, this will not be entirely correct, although the ACL will work. The router receives an echo request for some node on the private network, it checks on interface fa0/0 to see if there is an ACL, there is none, then it checks interface fa0/1, there is an ACL on this interface, it is configured as outgoing, everything is correct packet does not penetrate the network, but is destroyed by the router. But if we attach an ACL to the fa0/0 interface as an incoming one, the packet will be destroyed as soon as it arrived at the router. The last solution is correct, since the router puts less strain on its computing resources. Extended ACLs should be placed as close to the source as possible, while standard ACLs should be placed as close to the recipient as possible.. This is necessary in order not to send packets across the entire network in vain.
The ACL itself is a set of text expressions that say permit(allow) or deny(disable), and processing is carried out strictly in the order in which the expressions are specified. Accordingly, when a packet reaches the interface, it is checked for the first condition; if the first condition matches the packet, further processing is stopped. The packet will either move on or be destroyed.
Again, if the packet matches the condition, it is not processed further. If the first condition does not match, the second condition is processed, if it matches, processing stops, if not, the third condition is processed, and so on until all conditions are checked, if none of the conditions match, the packet is simply destroyed. Remember, at each end of the list there is an implicit deny any (deny all traffic). Be very careful with these rules that I have highlighted because configuration errors are very common.
ACLs are divided into two types:
- Standard: can only check source addresses
- Extended: can check source addresses, as well as recipient addresses, in the case of IP, also the protocol type and TCP/UDP ports
- Standard: from 1 to 99
- Advanced: from 100 to 199
To filter addresses in the ACL, a WildCard mask is used. This is a reverse mask. We take the template expression: 255.255.255.255 and subtract the usual mask from the template.
255.255.255.255-255.255.255.0, we get a mask of 0.0.0.255, which is the usual mask 255.255.255.0, only 0.0.0.255 is a WildCard mask.
Types of ACLs
Dynamic (Dynamic ACL)
Allows you to do the following, for example, you have a router that is connected to some server and we need to block access to it from the outside world, but at the same time there are several people who can connect to the server.We set up a dynamic access list, attach it to the incoming direction, and then people who need to connect connect via Telnet to this device, as a result, a dynamic ACL opens a path to the server, and a person can already log in, say, via HTTP to get to the server. By default, after 10 minutes this passage is closed and the user is forced to Telnet again to connect to the device.
Reflexive ACL
Here the situation is a little different, when a node on the local network sends a TCP request to the Internet, we must have an open pass for a TCP response to arrive to establish a connection. If there is no passage, we will not be able to establish a connection, and attackers can take advantage of this passage, for example, to penetrate the network. Reflective ACLs work in this way: access is completely blocked (deny any), but another special ACL is formed that can read the parameters of user sessions that are generated from the local network and open a pass to deny any for them, as a result it turns out that they will not be able to install from the Internet compound. And during the session, responses will be generated from the local network.Time-based ACL
A regular ACL, but with a time limit, you can enter a special schedule that activates a particular access list entry. And to do such a trick, for example, we write an access list in which we prohibit HTTP access during the working day and hang it on the router interface, that is, employees of the enterprise come to work, their HTTP access is denied, the working day is over, HTTP access is opened ,please, if you want, surf the Internet.
Settings
The ACLs themselves are created separately, that is, it is simply a list that is created in the global config, then it is assigned to the interface and only then does it start working. It is necessary to remember some points in order to properly configure access lists:- Processing is carried out strictly in the order in which the conditions are written
- If the packet matches the condition, it is not processed further
- At the end of each access list there is an implicit deny any (deny everything)
- Extended ACLs should be placed as close to the source as possible, while standard ACLs should be placed as close to the recipient as possible.
- You cannot place more than 1 access list per interface, per protocol, per direction
- ACL does not affect traffic generated by the router itself
- A WildCard mask is used to filter addresses
Standard access list
Router(config)# access-list <номер списка от 1 до 99> (permit | deny | remark) (address | any | host)- permit: allow
- deny: prohibit
- remark: comment about access list
- address: deny or allow the network
- any: we allow or deny everything
- host: allow or deny the host
- source-wildcard: WildCard network mask
- log: enable logging of packets passing through this entry ACL
Extended access list
Router(config)# access-list <номер списка от 100 до 199> (permit | deny | remark) protocol source [ operator operand] [ port <порт или название протокола>- protocol source: what protocol will we allow or close (ICMP, TCP, UDP, IP, OSPF, etc.)
- deny: prohibit
- operator:
A.B.C.D - recipient address
any - any destination host
eq - only packets on this port
gt - only packets with a large port number
host - the only final host
lt - only packets with lower port number
neq - only packets not on this port number
range - port range - port: port number (TCP or UDP), you can specify a name
- established: allow the passage of TCP segments that are part of an already created TCP session
Attached to the interface
Router(config-if)# ip access-group <номер списка или имя ACL> (in | out)- in: incoming direction
- out: outgoing direction
Named access lists
Router(config)# ip access-list (standard | extended) (<номер ACL> | <имя ACL>}Router(config-ext-nacl)# (default | deny | exit | no | permit | remark)
- standard: standard ACL
- extended: extended ACL
- default: set command to default
Restricting access to the router
R(config)# line vty 0 4 - go to the mode for setting up virtual lines.R(config-line)# password <пароль>
R(config-line)# login
R(config-line)# access-class 21 in- set up a login and password, and also assign an access list with allowed IP addresses.
Dynamic access lists
R3(config)# username Student password 0
cisco - create users to connect via Telnet.
R3(config)# access-list 101 permit tcp any host 10.2.2.2 eq telnet
R3(config)# access-list 101 dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 - allow all nodes to connect to the server via Telnet.
R3(config)#interface serial 0/0/1
R3(config-if)# ip access-group 101 in - assign 101 ACL to the interface in the incoming direction.
R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# autocommand access-enable host timeout 5 - as soon as the user is authenticated, the network 192.168.30.0 will be available, after 5 minutes of inactivity the session will be closed.
Reflective Access Lists
R2(config)# ip access-list extended OUTBOUNDFILTERS
R2(config-ext-nacl)# permit tcp 192.168.0.0 0.0.255.255 any reflect TCPTRAFFIC
R2(config-ext-nacl)# permit icmp 192.168.0.0 0.0.255.255 any reflect ICMPTRAFFIC - we force the router to monitor traffic that was initiated from within.
R2(config)# ip access-list extended INBOUNDFILTERS
R2(config-ext-nacl)# evaluate TCPTRAFFIC
R2(config-ext-nacl)# evaluate ICMPTRAFFIC - create an inbound policy that requires the router to check incoming traffic to see if it was initiated from within and bind TCPTRAFFIC to INBOUNDFILTERS.
R2(config)# interface serial 0/1/0
R2(config-if)# ip access-group INBOUNDFILTERS in
R2(config-if)# ip access-group OUTBOUNDFILTERS out - apply incoming and outgoing ACL to the interface.
Time limit
R1(config)# time-range EVERYOTHERDAY
R1(config-time-range)# periodic Monday Wednesday Friday 8:00 to 17:00 - create a list of times in which we add days of the week and time.
R1(config)# access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq telnet time-range EVERYOTHERDAY - apply time-range to ACL.
R1(config)#interface s0/0/0
R1(config-if)# ip access-group 101 out - assign an ACL to the interface.
Troubleshooting
R# show access-lists(ACL number | name) - look at information about the access list.R# show access-lists- look at all access lists on the router.
Example
Router# show access-listsExtended IP access list nick
permit ip host 172.168.1.1 host 10.0.0.5
deny ip any any (16 match(es))
Standard IP access list nick5
permit 172.16.0.0 0.0.255.255
We see that we have two ACLs (standard and extended) called nick and nick5. The first list allows host 172.16.1.1 to access host 10.0.0.5 via IP (this means that all protocols running over IP are allowed). All other traffic is denied is shown by the deny ip any any command. Next to this condition in our example it writes (16 match(es)). This shows that 16 packets met this condition.
The second ACL allows traffic from any source on the 172.16.0.0/16 network.