Module 1
Access Control List
�Content
Describe TCP and its function
Describe TCP synchronization and flow control
Identify port numbers
Describe the differences between standard and extended ACLs
Explain the rules for placement of ACLs
Create and apply named ACLs
Describe the function of firewalls
Use ACLs to restrict virtual terminal access
�Using ACLs to Secure Networks
�A TCP Conversation
ACLs enable you to control traffic into and out of your network. This control can
be as simple as permitting or denying network hosts or addresses. However,
ACLs can also be configured to control network traffic based on the TCP/UDP
ports being used.
�A TCP Conversation
Registered TCP Ports:
1863 MSN Messenger
8008 Alternate HTTP
8080 Alternate HTTP
Well Known TCP Ports:
20,21 FTP
23 Telnet
25 SMTP
80 HTTP
110 POP3
194 Internet Relay Chat (IRC)
443 HTTPS
Registered UDP Ports:
1812 RADIUS Authentication Protocol
2000 Cisco SCCP (VoIP)
5004 RTP (Voice and Video Transport Protocol)
5060 SIP (VoIP)
Well Known UDP Ports:
69 - TFTP
520 - RIP
Registered TCP/UDP Common Ports:
1433 MS SQL
2948 WAP (MMS)
Well Known TCP/UDP Common Ports:
53 - DNS
161 SNMP
531 AOL Instant Messenger, IRC
�Packet Filtering
NO
YES
Test based on:
Source IP address
Destination IP address
ICMP message type
TCP/UDP source port
TCP/UDP destination port
A router acts as a packet filter when it forwards or denies packets according to
filtering rules.
When a packet arrives at the packet-filtering router, the router extracts certain
information from the packet header and makes decisions according to the filter
rules as to whether the packet can pass through or be discarded.
Packet filtering works at the network layer of the Open Systems Interconnection
(OSI) model, or the Internet layer of TCP/IP
�Packet Filtering
For this scenario, the packet filter looks at each packet as follows:
If the packet is a TCP SYN from network A using port 80, it is allowed
to pass. All other access is denied to those users.
If the packet is a TCP SYN from network B using port 80, it is blocked.
However, all other access is permitted
�What are ACLs? (1)
ACLs are lists of instructions you apply to a router's interface.
These lists tell the router
what kinds of packets to accept
what kinds of packets to deny
8
�What are ACLs? (2)
�How ACLs work
An ACL is a group of statements that
define whether packets are accepted or
rejected coming into an interface or
leaving an interface.
ACL statements operate in sequential,
logical order.
If a condition match is true, the packet is
permitted or denied and the rest of the
ACL statements are not checked.
If all the ACL statements are unmatched,
an implicit "deny any" statement is placed
at the end of the list by default. (not
visible)
When first learning how to create ACLs, it
is a good idea to add the implicit deny at
the end of ACLs to reinforce the dynamic
presence of the command line..
10
�ACL Operation
Inbound ACLs
Incoming packets are processed
before they are routed to the
outbound interface
An inbound ACL is efficient
because it saves the overhead of
routing lookups if the packet is
discarded
If the packet is permitted by the
tests, it is then processed for
routing
11
�ACL Operation
Outbound ACLs
Incoming packets are routed to the outbound interface, and
then they are processed through the outbound ACL.
12
�ACL Operation
Routing and ACL Processes in a Router
13
�Types of Cisco ACLs
14
�Numbering and Naming ACLs
Numbered ACL: You assign a number based on which protocol you
want filtered:
(1 to 99) and (1300 to 1999): Standard IP ACL
(100 to 199) and (2000 to 2699): Extended IP ACL
Named ACL: You assign a name by providing the name of the ACL:
Names can contain alphanumeric characters.
It is suggested that the name be written in CAPITAL LETTERS.
Names cannot contain spaces or punctuation and must begin with a
letter.
You can add or delete entries within the ACL.
Starting with Cisco IOS Release 11.2, you can use a name to identify
a Cisco ACL
15
�Creating ACLs
Step 1: Create an ACL defination
Step 2: Apply ACL to an interface
16
�Create ACLs number details
From the global configuration mode.
Specifying an ACL number.
Must carefully select and logically order the ACL.
Permitted IP protocols must be specified; all other protocols should
be denied.
Should select which protocols to check; any other protocols are not
checked.
Apply an ACL to an interface
17
�Specifying an ACL number
Assigning ACL number
ACL number must be within the specific range specified for the
protocol.
Modification of a numbered ACL involves deleting the entire list
and creating a new one
Remove numbered ACL:
Router(config)#no access-list list-number
18
�ACL configuration task: Step 1
19
�ACL configuration task: Step 2
20
�Wildcard mask bits
A wildcard mask is a 32-bit quantity that is divided into four octets, with
each octet containing 8 bits.
A wildcard mask bit 0 means "check the corresponding bit value.
A wildcard mask bit 1 means "do not check (ignore) that corresponding
bit value".
21
�Wildcard mask bits
22
�Wildcard mask bits
0 = check, we want this to match
1 = dont check, this can be any value, does not need to match
172.30.16.0
10101100 . 00011110 . 00010000 . 00000000
0.0.15.255
00000000 . 00000000 . 00001111 . 11111111
----------------------------------------172.30.16.0
10101100 . 00011110 . 00010000 . 00000000
172.30.16.1
10101100 . 00011110 . 00010000 . 00000001
172.30.17.0
10101100 . 00011110 . 00010001 . 00000000
172.30.30.255 10101100 . 00011110 . 00011110 . 00000000
... (through)
172.30.31.255 10101100 . 00011110 . 00011111 . 11111110
172.30.31.255 10101100 . 00011110 . 00011111 . 11111111
The
packet(s)
Test Conditon
Matching packets will look like this.
23
�Wildcard & Subnet mask
Wildcard mask operate differently from IP subnet
mask.
Subnet mask: The zeros and ones determine the
network (or subnet) and host portions of the
corresponding IP address.
Wildcard mask: The zeros and ones determine
whether the corresponding bits in an IP address
should be checked or ignored for ACL purposes.
24
�There is a relationship! Bitwise-not on the Subnet Mask
172.16.32.0 255.255.240.0
RouterB(config)#access-list 10 permit 172.16.32.0 0.0.15.255
Subnet Mask:
255 . 255 . 240 . 0
Wildcard Mask: + 0 . 0 . 15 . 255
---------------------255 . 255 . 255 . 255
So, we could calculate the Wildcard Mask by:
255 . 255 . 255 . 255
Subnet Mask: - 255 . 255 . 240 . 0
--------------------Wildcard Mask:
0 . 0 . 15 . 255
25
�Practice
RouterB(config)#access-list 10 permit ________ _________
Permit the following networks:
Network/Subnet Mask
A.
B.
C.
D.
E.
Address/Wildcard Mask
172.16.0.0 255.255.0.0
172.16.1.0 255.255.255.0
192.168.1.0 255.255.255.0
172.16.16.0 255.255.240.0 (hmmm . . .?)
172.16.128.0 255.255.192.0 (hmmm . . .?)
Permit the following hosts:
Network/Subnet Mask
Address/Wildcard Mask
A. 172.16.10.100
B. 192.168.1.100
C. All hosts
26
�Wildcard mask bits
Wildcard any
Wildcard host
27
�the any and host options
28
�Standard ACLs
�Overview
When you want to:
block all traffic from a network,
allow all traffic from a network,
permit or deny an entire protocol suite.
Standard ACLs only check the source address of
packets that could be routed.
Results in either permit or deny of an entire protocol
suite, based on the network, subnet, and host
addresses.
30
�Standard ACLs
31
�Standard ACL commands
Router(config)#access-list access-list-number
{deny | permit} source [source-wildcard ] [log]
Router(config)#no access-list access-list-number
Router(config-if)#ip access-group access-listnumber { in | out }
Access list number: (1 to 99) and (1300 to 1999):
Verify:
Router# show access-lists
32
�Standard ACL statements
33
�Standard ACL Examples
Requirement
Do not allow traffic from outside to access network 172.16.3.0
Node 172.16.4.13 can only access Internet
Network 172.16.4.0 (accept 172.16.4.13) can not access Internet
34
�Extended ACLs
�Overview
Provide a greater range of control than standard ACLs.
Check for both source and destination packet addresses.
They can also check for specific protocols, port numbers,
and other parameters.
36
�Extended ACL
37
�Extended ACL commands
Router (config)#access-list access-list-number
{permit | deny} protocol source source-widcard
destination destination-wildcard [operator port]
[established]
Router(config)#no access-list access-list-number
Router(config-if)# ip access-group access-listnumber { in | out }
Access list number: (100 to 199) and (2000 to 2699)
Commands:
Router# show access-lists
38
�Extended Access Lists
39
�Extended ACL statements
40
�Extended ACL: TCP/UDP protocol
Create ACL
Router (config)# access-list access-list-number {permit | deny}
[tcp/udp] source [source-mask destination destination-mask
operator port] [established]
Appy ACL
Router(config-if)# ip access-group access-list-number {in | out}
41
�Reserved port numbers
42
�Extended ACL: ICMP protocol
Router(config)# access-list access-list-number {permit | deny} icmp source
source-wildcard destination destination-wildcard [icmp-type | [icmp-code] |
[icmp-message] [established]
Router(config-if)# ip access-group access-list-number {in | out}
43
�Extended ACL examples
1. Prevents telnet and ftp access from Internet to 172.16.3.100 and 172.16.4.13
2. Prevents all hosts but 172.16.4.13 on network 172.16.4.0 to access
cisco.netacad.net
3. Prevents all hosts on network 172.16.4.0 to access www.astalavista.com web
site. All other hosts on the network go anywhere.
4. Prevents all hosts, except 172.16.3.100, on network 172.16.3.0 to access
172.16.4.13 using telnet and ftp
5. Allow all hosts on local network as well as Internet to access companys web site on
server 172.16.4.13. Block all other types of access to this server.
44
�Restricting telnet access with ACL
�Restricting virtual terminal access
The purpose of restricted vty access is increased network security.
Access to vty is also accomplished using the Telnet protocol to make
a nonphysical connection to the router.
As a result, there is only one type of vty access list. Identical
restrictions should be placed on all vty lines as it is not possible to
control which line a user will connect on.
46
�Restricting virtual terminal access
Standard and extended access lists apply to packets traveling
through a router.
ACLs do not block packets that originate within the router.
An outbound Telnet extended access list does not prevent router
initiated Telnet sessions, by default.
47
�Named ACLs
�Overview
Uses a name string to identify standard and extended
IP ACLs instead of the numeric (1 to 199)
representation.
Named ACLs can be used to remove individual
entries from a specific ACL.
Considerations:
Named ACLs are not compatible with Cisco IOS releases
prior to Release 11.2.
You cannot use the same name for multiple ACLs. In
addition, ACLs of different types cannot have the same
name.
49
�Extended ACL commands
Create ACLs
Router(config)# ip access-list {standard | extended} name
Router(config {std- | ext-}nacl)# deny {source [sourcewildcard] | any}
Router(config {std- | ext-}nacl)# permit {source [sourcewildcard] | any}
Apply ACLs
Router(config-if)# ip access-group name {in | out}
Router# show access-lists
50
�Name ACLs example
51
�ADVANCED ACLs
Switch-Port ACLs
Time-based ACLs
Remarks ACLs
�Switch Port ACLs
�Overview
It means: MAC ACLs
Switch Port ACLs can only apply to layer 2 interfaces
on switches, inbound direction and only use with
named ACLs
Sw1#conf t
Sw1(config)#mac access-list extended yournameACL
Sw1(config-ext-macl)#deny|permit source destination
source/dest: any|host|H.H.H
Sw1(config)#int f0/5
Sw1(config-if)#mac access-group yournameACL in
54
�Time-based ACLs
�Overview
Time-based ACLs work like extended ACLs do, but their type
of access control is totally time oriented.
The time period is based upon the routers clock
Router#conf t
Router(config)#time range no-chat
Router(config-time-range)#period weekdays start to end
Router(config-time-range)#exit
Router(config)#ip access-list extended Chat-time
Router(config-ext-nacl)#deny tcp any any eq chat time-range no-chat
Router(config-ext-nacl)# int fa0/0
Router(config-if)#ip access-group Chat-time in
Router(config-if)#exit
56
�Remarks ACLs
�Remarks
Allow including comments, or rather remarks, regarding the
entries in both IP standard and extended ACLs, or named
ACLs.
R2#config t
R2(config)#access-list 110 remark Permit Bob from Sales Only To Finance
R2(config)#access-list 110 permit ip host 172.16.10.1 172.16.20.0 0.0.0.255
R2(config)#access-list 110 deny ip 172.16.10.0 0.0.0.255
172.16.20.0 0.0.0.255
R2(config)#ip access-list extended No_Telnet
R2(config-ext-nacl)#remark Deny all of Sales from Telnetting to Marketing
R2(config-ext-nacl)#deny tcp 172.16.30.0 0.0.0.255
172.16.40.0 0.0.0.255 eq 23
R2(config-ext-nacl)#permit ip any any
58
�Placing ACLs
�Placing ACLs
Source 10.0.0.0/8
Destination 172.16.0.0/16
Rules
Place extended ACLs as close to the source of the traffic denied as
possible.
Place the standard ACL as close to the destination as possible.
60
�Placing ACLs Extended Example
deny telnet
deny ftp
permit any
Source
10.0.0.0/8
Destination 172.16.0.0/16
Policy is to deny telnet or FTP Router A LAN to Router D LAN.
All other traffic must be permitted.
Several approaches can accomplish this policy.
The recommended approach uses an extended ACL specifying both
source and destination addresses.
61
�Placing ACLs Extended Example
deny telnet
deny ftp
permit any
Source 10.0.0.0/8
Router A
Destination 172.16.0.0/16
interface fastethernet 0/1
access-group 101 in
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq telnet
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq ftp
access-list 101 permit ip any any
Place this extended ACL in Router A.
Then, packets do not cross Router A's Ethernet, do not cross the serial interfaces of
Routers B and C, and do not enter Router D.
Traffic with different source and destination addresses will still be permitted.
62
�Placing ACLs Standard Example
deny 10.0.0.0
permit any
Source 10.0.0.0/8
Destination 172.16.0.0/16
Router D
interface fastethernet 0/0
access-group 10 in
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any
Standard ACLs do not specify destination addresses, so they should be placed as
close to the destination as possible.
If a standard ACL is put too close to the source, it will not only deny the intended
traffic, but all other traffic to all other networks.
63
�Verify ACLs
The show ip interface command displays IP
interface information and indicates whether any ACLs
are set.
The show access-lists command displays the
contents of all ACLs.
By entering the ACL name or number as an option for this
command, you can see a specific list.
64
�Firewall
�Firewall
A firewall is an architectural structure that exists between the
user and the outside world to protect the internal network
from intruders.
In most circumstances, intruders come from the global
Internet and the thousands of remote networks that it
interconnects.
Typically, a network firewall consists of several different
machines that work together to prevent unwanted and illegal
access
66
�Using ACL in the firewall routers
ACLs should be used in firewall routers.
The firewall router provides a point of isolation so that the rest of the
internal network structure is not affected.
You can also use ACLs on a router positioned between two parts of
the network to control traffic.
To provide the security benefits of ACLs, you should, at a minimum
configure ACLs on border routers.
67
�Firewalls Example
ISPs use ACLs to deny RFC 1918 addresses into their networks as these are nonroutable Internet addresses.
IP packets coming into your network should never have a source addresses that
belong to your network. (This should be applied on all network entrance routers.)
There are several other simple access lists which should be added to network
entrance routers.
68
�Good luck with this module !
