Access control lists acl cisco. c) Mail server
In this article we will talk about access lists ( access lists, ACL, NACL, access lists, access control list- all these words are synonyms, don’t let their diversity scare you). Later in the article, for brevity, I will use the term ACL.
In this article we will talk about general principles creating ACLs, using ACLs on interfaces, and rules for viewing ACLs. Specifically, the creation of ACLs themselves is described in the articles “”, and “”. In any case, I recommend starting your study with this article so that it is clear what we are talking about.
So, ACL (access control list) is, strictly speaking, a mechanism for selecting some part from the entire traffic flow, according to specified criteria. For example, a lot of packets pass through the router, and this ACL selects from the set only those packets that come from the 192.168.1.0/24 subnet:
access-list 1 permit 192.168.1.0
What to do next with this traffic is still unknown. For example, traffic that falls under an ACL can be wrapped in a VPN tunnel, or subject to address translation (NAT). The CCNA course discusses two ways to use ACLs: the main one is traffic filtering, the second is the use of ACLs when configuring NAT. The following is important: it doesn’t matter where and for what purposes we use ACLs, the rules for writing ACLs do not change. In addition, if we just created an ACL, then it does not affect anything yet. An ACL is just a few non-working lines in the config until we apply it, for example, to an interface to filter traffic.
Access-lists, Access-control-lists (ACL) – access control lists. There are several types of access lists used on routers and Cisco switches. Access lists are used to filter traffic or to define classes of traffic when applying policies. An access list is a set of condition-action strings. The access list line is called access-control-entry (ACE). The condition may be that the packet conforms to a specific protocol or set of parameters. The action can be packet permission (permit) or denial (deny). The following rules apply to access lists:
- The created access list has no effect until it is applied to a specific interface.
- The access list is applied on the interface in a specific direction - for outgoing or incoming traffic (inbound/outbound).
- Only one access list per protocol (ip) and direction (in/out) can be applied to an interface.
- The access list is checked line by line until the first match is found. The remaining lines are ignored.
- At the end of any IP access list there is an implicit deny rule. A packet that does not match any condition in the list is discarded in accordance with the implicit deny rule.
- It is recommended to indicate more specific rules at the beginning of the access list, and more general ones at the end.
- New lines are appended to the end of the list by default.
- A single line can be deleted from a named access list; other ACLs can only be deleted entirely.
- The access list must have at least one permit, otherwise it will block all traffic.
- An interface that is assigned a non-existent access list does not filter traffic.
- IP Extended Access-lists are applied as close as possible to the source of the traffic.
According to the method of creation, access lists are divided into standard, extended, and named. It is most convenient to work with named ones.
Standard Access-list
Filters only by source IP address. Must have a number in the range 1-99. Example:
Access-list 10 deny host 172.16.30.2 – deny source ip access-list 10 permit any – allow everything
Extended Access-list
Filters by source and destination addresses, using layer 3 and 4 protocols. Must have a number in the range 100-199. Example:
Access-list 110 deny tcp any host 172.16.30.2 eq 22 - deny tcp from everyone to a host with port 22 access-list 110 deny ip 192.168.160.0 0.0.31.255 any - deny ip from the network according to a template on all access-list 110 permit ip any any - allow everything
Application to Interface
conf t - switch to configuration mode int fa 0/0 - switch to interface FastEthernet0/0 ip access-group 110 in - apply ACL 110 to the input ip access-group 120 out - apply ACL 120 to the outputApplication to telnet access lines
conf t - switch to configuration mode line vty 0 4 - switch to vty lines 0 to 4 access-class 10 in - apply ACL 10 to inputNamed extended Access-list
Filters by source and destination addresses, using layer 3 and 4 protocols. Must have a name. It is possible to delete individual lines. Example:
Ip access-list extended INET - create a list with the name INET deny tcp any host 172.16.30.2 eq 22 - deny tcp from everyone to the host with port 22 deny ip 192.168.160.0 0.0.31.255 any - deny ip from the network using a template for all permit ip any any - allow everything
Access lines are numbered in increments of 10 by default. You can renumber the access list with a different step. You can add a numbered line - it will go to the specified location, according to the numbering.
View the extended access list:
Router# sh access-list INET Extended IP access list INET 10 deny tcp any host 172.16.30.2 eq 22 (150 matches) 20 deny ip 192.168.160.0 0.0.31.255 any (4 matches) 30 permit ip any any (1556 matches)
As you can see, the lines are numbered in increments of 10. You can insert new line to an arbitrary place on the sheet using the number:
Router(conf)# ip access-list extended INET router(config-ext-nacl)# 5 permit ip host 10.10.10.10 any router(config-ext-nacl)# 223 deny ip host 1.1.1.1 any router(config-ext -nacl)# end router# sh access-list INET Extended IP access list INET 5 permit ip host 10.10.10.10 any 10 deny tcp any host 172.16.30.2 eq 22 (150 matches) 20 deny ip 192.168.160.0 0.0.31.255 any ( 4 matches) 30 permit ip any any (1556 matches) 223 deny ip host 1.1.1.1 any
You can delete a separate line from a sheet by number, or by completely specifying the line with the prefix “no”. For example like this:
Router(conf)# ip access-list extended INET router(config-ext-nacl)# no permit ip host 10.10.10.10 any
Router(config-ext-nacl)# no 223
You can completely remove an access list by specifying the appropriate command and “no”:
Router(conf)# no ip access-list extended INET
Advanced ACE Options
permit icmp vs. permit ip
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information.
Classifying traffic using ACLs
Debugging IP ACLs
Vlan-ACL (VACL)
The VLAN map is applied to all bridged packets. Router ACL is only for routed people. If
1. VLAN map for input VLAN10
2. Input router ACL / int VLAN10
3. routing VLAN10 to VLAN 20
4. Output router ACL / int VLAN20
5. VLAN map for output VLAN20
ip access-list extended WIFIHOSTEL permit ip 10.12.0.0 0.0.255.255 host 212.192.64.2 permit ip host 212.192.64.2 10.12.0.0 0.0.255.255 deny ip any any ! vlan access-map WIFIHOSTEL 10 match ip address WIFIHOSTEL action forward ! vlan filter WIFIHOSTEL vlan-list 534Access lists allow you to create traffic control rules that will govern internetwork communication in both local and corporate networks.
There are sixteen types of access lists, but the two most commonly used types are: standard– standard (numbers from 1 to 99) and extended– extended (numbers from 100 to 199 or from 2000 to 2699). The differences between these two lists lie in the ability to filter packets not only by IP address, but also by various other parameters.
Standard lists process only incoming source IP addresses, i.e. They look for a match only by the sender's IP address. Advanced lists work with all corporate network addresses and can additionally filter traffic by ports and protocols.
The operation of the access list directly depends on the order of the lines in this list, where each line contains a traffic processing rule. All rules in the list are searched from first to last in order, but the search ends as soon as the first match has been found, i.e. a rule was found for the incoming packet that it falls under. After this, the remaining rules in the list are ignored. If the packet does not fall under any of the rules, then the default rule is enabled:
access-list list_number deny any
which prohibits all traffic on the interface of the network device to which this list was applied.
To start using an access list, you need to complete the following three steps:
1 – create a list;
2 – fill the list with traffic processing rules;
3 – apply an access list to the device interface to the input or output of this interface.
Stage one - creating an access list:
Standard list:
Switch3(config)# ip access-list standard 10
(a standard access list number 10 is created, in in this case created on the switch)
Extended list:
Router1(config)# ip access-list extended 100
(an extended access list is created under number 100, in this case it is created on the router).
Stage two – entering rules into the access list:
Each rule in the access list will contain three important elements:
1 - a number that identifies the list when accessing it in other parts of the router or third-level switch configuration;
2 - instructions deny(prohibit) or permit(allow);
3 - package identifier, which is specified in one of three options:
Network address (for example 192.168.2.0 0.0.0.255) – where instead of the subnet mask, the subnet mask template is indicated;
Host address (host 192.168.2.1);
Any IP address ( any).
Example of standard access list #10:
access-list 10 deny host 11.0.0.5
access-list 10 deny 12.0.0.0 0.255.255.255
access-list 10 permit any
In this list:
All traffic to the host with IP address 11.0.0.5 is prohibited;
All traffic on network 12.0.0.0/8 is prohibited (the rule specifies not the actual subnet mask, but its template);
All other traffic is allowed.
In extended access lists, after specifying an action with the permit or deny keys, there must be a protocol parameter (IP, TCP, UDP, ICMP protocols are possible), which indicates whether all IP packets should be checked or only packets with ICMP, TCP or UDP headers . If TCP or UDP port numbers are to be checked, then the TCP or UDP protocol must be specified (FTP and WEB services use the TCP protocol).
When creating extended lists in access rules, you can enable traffic filtering by protocols and ports. To specify ports in the access rule, the following designations are indicated (Table 10.1):
Table 10.1.
Common applications and their corresponding standard port numbers are shown in the following Table 10.2:
Table 10.2.
|
Port number |
Protocol |
Application |
Keyword in the access_list command |
|
FTP Server Management | |||
Example of extended access list #111:
! Deny traffic on port 80 (www traffic)
Access lists are used in a number of cases and are a mechanism for specifying conditions that the router checks before performing any actions. The router checks each packet and, based on the above criteria specified in the ACL, determines what to do with the packet, skip or discard. Typical criteria are the addresses of the sender and recipient of the packet, and the protocol type. Each criterion in the access list is written on a separate line. An access list as a whole is a collection of criteria strings that have the same number (or name). The order in which the criteria are specified in the list is significant. The package is checked for compliance with the list consistent application criteria from this list(in the order in which they were entered). A packet that does not match any of the entered criteria will be rejected. For each protocol, only one access list can be assigned to an interface. As an example, below is the default ACL table:
Without ACL- By default, when an endpoint is created, everything is allowed to it.
Allow- when adding one or more "resolution" ranges, all other ranges are disabled by default. Only packets from the allowed range of IP addresses will be able to reach the virtual machine endpoint.
Prohibit- when adding one or more "deny" ranges, all other traffic ranges are allowed by default.
Combination of permission and prohibition- You can use a combination of "allow" and "deny" rules to specify a nested allowed or denied range of IP addresses.
Let's look at two examples standard lists:
# access-list 1 permithost 10.0.0.10- allow the passage of traffic from node 10.0.0.10.
# access-list 2 deny 10.0.1.0 0.0.0.255- we prohibit the passage of packets from the 10.0.1.0/24 subnet.
Practical work 9-1. Creating a Standard Access List
There are several types of access lists: standard, extended, dynamic and others. In standard ACLs, it is possible to specify only the IP address of the source of packets to deny or allow them.
Rice. 9.2.
Let's collect this diagram and set it up. Configure PC0 and PC1 yourself.
Setting R0
We will configure interface 0/0 of router 1841 to the address 192.168.0.1 and enable it with the following commands:
Router>en Router#conf t Router (config)#int fa0/0 Router (config-if)#ip addr 192.168.0.1 255.255.255.0 Router (config-if)#no shut Router (config-if)#exit
We will configure the second interface of the router (port 0/1) with the address 10.0.0.1 and also enable it:
Router (config)#intfa0/1 Router (config-if)#ip addr 10.0.0.1 255.255.255.0 Router (config-if)#no shut
Server Tuning
The server settings are shown in Fig. 9.3.
Rice. 9.3.
Network diagnostics
Checking PC connection from different networks(Fig. 9.4).
Rice. 9.4.
Let's start solving the problem
We will create a rule for denying and allowing access using standard access lists (ACLs). As long as the access list is not set on the interface, everything is allowed ( permit). But as soon as you create a list, the “Everything that is not allowed is prohibited” mechanism immediately takes effect. Therefore, there is no need to prohibit anything ( deny) – we indicate what is allowed, and “deny the rest” is automatically implied. According to the conditions of the task, we need to pass packets from node 192.168.0.12 to the server on R0 (Fig. 9.5).
Rice. 9.5.
Applicable this rule to the interface depending on the direction (PC1 is located on the Fa0/0 port side) - fig. 9.6. This setting means that the access list (rule number 1) will operate on interface fa0/0 in the incoming direction from PC1.
Rice. 9.6.
Note
Incoming traffic (in) is the one that comes to the interface from outside. Outgoing (out) is the one that is sent from the interface to the outside. You can apply an access list either to incoming traffic, then unwanted packets will not even get to the router and, accordingly, further into the network, or to outgoing traffic, then the packets arrive to the router, are processed by it, reach the target interface and are only processed on it. As a rule, lists are used for incoming traffic (in).
Let's create a named ACL list and write rules for it:
ip access-list extended HTTP_ONLY – create a list.
permittcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eqwww – configure www traffic filtering.
permiticmp 172.22.34.96 0.0.0.15 host 172.22.34.62 – allow the transmission of ICMP traffic from PC2 to the Server.
interfacegigabitEthernet 0/1
ipaccess-groupHTTP_ONLYin – placement of the list on the interface.
To check the operation of the applied list, we send an echo request from PC2 to the Server server (Figure 4.4). Next, an unsuccessful FTP connection is made from PC2 to the Server server (Figure 4.4). Then you need to open the web browser on PC2 and enter the IP address Server as a URL. The connection should be successful (Figure 4.5).
Figure 4.4 – Echo request and FTP connection to the server from PC2
Figure 4.5 – Connecting to the server via a web browser
5 Configuring extended ACLs. Scenario 2
In this scenario, devices in one LAN networks allowed remote access to devices on another LAN via the Telnet protocol. With the exception of ICMP, all traffic from other networks is prohibited. The network diagram is shown in Figure 5.1.
Figure 5.1 – Network diagram
We configure an extended numbered ACL with the following commands:
accesslist 199 permittcp 10.101.117.32 0.0.0.15 10.101.117.0 0.0.0.31 eqtelnet – traffic via the Telnet protocol on the network 10.101.117.32/28 is allowed for transmission to devices on networks 10.100.117.0/27.
access-list 199 permiticmpanyany – ICMP traffic allowed from any device and in any direction.
All other traffic is prohibited by default.
interface gigabitethernet0/2
ipaccess-group 199 out – placement of the list on the interface.
To test the operation of the extended list, you first need to send ping requests from the PCB computer to all other IP addresses on the network (Figure 5.2). Next, echo requests are sent from the PCA computer to all other IP addresses on the network (Figure 5.3).
Figure 5.2–Echo request from RSV
Figure 5.3 – Echo request from RSA
6 Configuring extended ACLs. Scenario 3
In this scenario specific devices The LAN network allows access to several services from servers located on the Internet. The network used is shown in Figure 6.1.
Figure 6.1 – Network diagram
You must use a single named ACL to implement the following rules:
1 Deny access via HTTP protocols and HTTPS from PC1 to Server1 and Server2. These servers are located inside the cloud, only their IP addresses are known.
2Block FTP access from PC2 to Server1 and Server2.
3Block ICMP access from PC3 to Server1 and Server2.
The extended named ACL was configured using the following commands:
ip access-list extended ACL – create a list.
denytcphost 172.31.1.101 host 64.101.255.254 eqwww – rule that denies access from PC1 to Server1, for HTTP only.
denytcphost 172.31.1.101 host 64.101.255.254 eq 443 – rule that denies access from PC1 to Server1, only for HTTPS.
denytcphost 172.31.1.101 host 64.103.255.254 eqwww – rule that denies access from PC1 to Server2, for HTTP only.
denytcphost 172.31.1.101 host 64.103.255.254 eq 443 – rule that denies access from PC1 to Server2, only for HTTPS.
denytcphost 172.31.1.102 host 64.101.255.254 eqftp – a rule that denies access from PC2 to Server1, for FTP only.
denytcphost 172.31.1.102 host 64.103.255.254 eqftp – rule that denies access from PC2 to Server2, for FTP only.
denyicmhost 172.31.1.103 host 64.101.255.254 – rule that denies ICMP access from PC3 to Server1.
denyicmhost 172.31.1.103 host 64.103.255.254 – rule that denies ICMP access from PC3 to Server2.
allowipanyany – allows other IP traffic.
interfacegigabitEthernet 0/0
ipaccess-groupACLin – application of the ACL list on the corresponding interface and direction.
Checking the extended ACL is as follows: checking access to websites on servers Server1 and Server2 using the web browser PC1, as well as HTTP and HTTPS protocols (Figure 6.2), checking FTP access to servers Server1 and Server2 from computer PC1 (Figure 6.3), echo requests are made to Server1 and Server2 from PC1 (Figure 6.4). RS2 and RS3 are checked in the same way. Successful access to websites on servers from PC2 and PC3 is shown in Figure 6.5. Unsuccessful FTP access to servers from PC2 is shown in Figure 6.6. Failed pings from PC3 to servers are shown in Figure 6.7.
Figure 6.2 – Checking access via HTTP and HTTPS
Figure 6.3 - FTP access to Server1 and Server2 from PC1
Figure 6.4 - Pings to Server1 and Server2 from PC1
Figure 6.5 - Successful access to websites on servers from PC2 and PC3
Figure 6.6 - Unsuccessful FTP access to servers from PC2
Figure 6.7 - Failed echo requests from PC3 to servers
7 Development of complex practical skills
This advanced task requires you to complete the addressing scheme, configure routing, and apply named access control lists. The diagram of the network used is shown in Figure 7.1.
Figure 7.1 – Network diagram
In progress laboratory work the following requirements have been met:
1 Network 172.16.128.0/19 is divided into two equal subnets for use in the Branch router. The last usable address of the second subnet is assigned to interface GigabitEthernet 0/0. The last usable address of the first subnet is assigned to interface GigabitEthernet 0/1. The documented addressing table is in Table 1.
Table 1 – Addressing table
Continuation of Table 1
| Branch | G0/0 | 172.16.159.254 | 255.255.240.0 | Not available |
| G0/1 | 172.16.143.254 | 255.255.240.0 | Not available | |
| S0/0/0 | 192.168.0.2 | 255.255.255.252 | Not available | |
| HQ1 | Network adapter | 172.16.64.1 | 255.255.192.0 | 172.16.127.254 |
| HQ2 | Network adapter | 172.16.0.2 | 255.255.192.0 | 172.16.63.254 |
| HQServer.pka | Network adapter | 172.16.0.1 | 255.255.192.0 | 172.16.63.254 |
| B1 | Network adapter | 172.16.144.1 | 255.255.240.0 | 172.16.159.254 |
| B2 | Network adapter | 172.16.128.2 | 255.255.240.0 | 172.16.143.254 |
| BranchServer.pka | Network adapter | 172.16.128.1 | 255.255.240.0 | 172.16.143.254 |
The assignment of addresses to interfaces is carried out using the command on the Branch router:
interface gigabitEthernet0/0
ip address 172.16.159.254 255.255.240.0
interface gigabitEthernet0/1
ipaddress 172.16.143.254 255.255.240.0
2B1 has the appropriate addressing configured; the first free address of the network to which it is connected was used. The setup is shown in Figure 7.2.
Figure 7.2 – Setting up addressing on B1
3 The Branch router has been configured with an enhanced protocol internal routing between gateways (EIGRP) according to the following criteria:
a) all three connected networks are announced;
b) automatic merging is disabled;
c) the appropriate interfaces are configured as passive;
d) merged 172.16.128.0/19 into serial interface Serial 0/0/0 with administrative distance 5.
The setup was carried out with the following commands:
network 168.0.0.0 0.0.0.3
network 172.16.128.0 0.0.15.255
network 172.16.144.0 0.0.15.255
passive-interface gigabitethernet0/0
passive-interface gigabitethernet0/1
interface serial0/0/0
ipsummary-addresseigrp 1 172.16.128.0 255.255.224.0 5
4 A default route has been configured on the HQ router, directing traffic to interface S0/0/1. The route to the Branch router has been redistributed. For this purpose they used following commands:
ip route 0.0.0.0 0.0.0.0 serial0/0/1
redistributestatic
5 Subnets merged local network HQ on serial interface Serial 0/0/0 with administrative distance 5. Commands:
interfaceserial0/0/0
ipsummaryaddresseigrp 1 172.16.0.0 255.255.128.0 5
6 Created a named access list, HQServer, to deny all computers connected to the GigabitEthernet 0/0 interface of the Branch router access to HQServer.pka. All other traffic is allowed. The access list is configured on the appropriate router, assigned to the appropriate interface in the appropriate direction. To do this, use the following commands:
ipaccess-listendedHQServer
denyipanyhost 172.16.0.1
letip any any
interface gigabitethernet0/0
ip access-group HQServer in
7 Created a named BranchServer access list to deny all computers connected to the HQ router's GigabitEthernet 0/0 interface access to the BranchServer's HTTP and HTTPS services. All other traffic is allowed. The access list is configured on the appropriate router and assigned to the appropriate interface in the appropriate direction.
ip access-list extended BranchServer
denytcp any host 172.16.128.1 eq 80
denytcp any host 172.16.128.1 eq 443
letip any any
interface gigabitethernet0/0
ipaccess-groupBranchServerin
For verification, echo requests were sent from B1 to HQServer.pka (unsuccessful, Figure 7.3). Web access to the BranchServer.pka server from HQ1 is also unsuccessful (Figure 7.4).
Figure 7.3 - Echo request from B1 to HQServer.pka
Figure 7.4 - Web access to the BranchServer.pka server from HQ1
©2015-2019 site
All rights belong to their authors. This site does not claim authorship, but provides free use.
Page creation date: 2016-08-20