© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE I Chapter 6 1 Access Control Lists (ACLs) Accessing the WAN – Chapter 5 Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 2 Objectives  In this chapter, you will learn to: – Explain how ACLs are used to secure a medium-size enterprise branch office network, including the concept of packet filtering, the purpose of ACLs, how ACLs are used to control access, and the types of Cisco ACLs. – Configure standard ACLs in a medium-size enterprise branch office network, including defining filtering criteria, configuring standard ACLs to filter traffic, and applying standard ACLs to router interfaces. – Configure extended ACLs in a medium-size enterprise branch office network, including configuring extended ACLs and named ACLs, configuring filters, verifying and monitoring ACLs, and troubleshooting extended ACL issues. – Describe complex ACLs in a medium-size enterprise branch office network, including configuring dynamic, reflexive, and timed ACLs, verifying and troubleshooting complex ACLs, and explaining relevant caveats. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 3 Objectives  These are examples of IP ACLs that can be configured in Cisco IOS Software: –Standard ACLs –Extended ACLs –Dynamic (lock and key) ACLs –IP-named ACLs –Reflexive ACLs –Time-based ACLs that use time ranges –Commented IP ACL entries –Context-based ACLs –Authentication proxy –Turbo ACLs –Distributed time-based ACLs http://www.cisco.com/en/US/tech/tk648/tk3 61/technologies_configuration_example09 186a0080100548.shtml Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 4 A TCP Conversation  ACLs enable you to control traffic in and out of your network. –ACL control can be as simple as permitting or denying network hosts or addresses. –However, ACLs can also be configured to control network traffic based on the TCP port being used. –[Tony] Also, UDP, ICMP, time, and ……  To understand how an ACL works, let us look at the dialogue when you download a webpage. –The TCP data segment identifies the port matching the requested service. For example, HTTP is port 80, SMTP is port 25, and FTP is port 20 and port 21. –TCP packets are marked with flags: •a SYN starts (synchronizes) the session; •an ACK is an acknowledgment that an expected packet was received, •a FIN finishes the session. •A SYN/ACK acknowledges that the transfer is synchronized. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 5 Packet Filtering  Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. –These rules are defined using ACLs. –An ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols.  The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: –Source IP address –Destination IP address –ICMP message type –TCP/UDP source port –TCP/UDP destination port –And ………. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 6 Packet Filtering Router(config)#access-list 101 deny ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 7 Packet Filtering Example  For example, you could say, –Only permit web access to users from network A. –Deny web access to users from network B, but permit them to have all other access."  This is just a simple example. You can configure multiple rules to further permit or deny services to specific users. You can also filter packets at the port level using an extended ACL, which is covered in Section 3. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 8 What is an ACL?  By default, a router does not have any ACLs configured and therefore does not filter traffic. –Traffic that enters the router is routed according to the routing table.  An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. –As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. •[Tony]: It stops when it finds a matching statement. –The ACL applying a permit or deny rule to determine the fate of the packet. •[Tony]: If ACL cannot find a matching statement from the list, the default action is deny the traffic. –ACLs can be configured to control access to a network or subnet. •[Tony]: It can control into and out of the network, or subnet, or, single host. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 9 What is an ACL?  Here are some guidelines for using ACLs: –Use ACLs in firewall routers positioned between your internal network and an external network •such as the Internet. –Use ACLs on a router positioned between two parts of your network •to control traffic entering or exiting a specific part of your internal network. –Configure ACLs on border routers •routers situated at the edges of your networks. •This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. –Configure ACLs for each network protocol configured on the border router interfaces. •You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both. Cisco Thai Nguyen Networking Academy © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6 10 ACL: The Three Ps  ACL: The Three Ps: –One ACL per protocol - An ACL must be defined for each protocol enabled on the interface. –One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. –One ACL per interface - ACLs control traffic for an interface, for example, Fast Ethernet 0/0.  The router in the example has two interfaces configured for IP: AppleTalk and IPX. –This router could require 12 separate ACLs • one ACL for each protocol, • times two for each direction, • times two for the number of ports. • 3 protocols X 2 directions X 2 directions = 12 [...]... 255 . 255 . 255 .0, you could take the 255 . 255 . 255 . 255 and subtract from the subnet mask – The solution produces the wildcard mask 0.0.0. 255 Example 2: Now assume you wanted to permit network access for the 14 users in the subnet 192.168.3.32 /28 The subnet mask for the IP subnet is 255 . 255 . 255 .240, – take 255 . 255 . 255 . 255 and subtract the subnet mask 255 . 255 . 255 .240 – The solution this time produces the. .. 0.0.0. 15 Example 3: assume you wanted to match only networks 192.168.10.0 and 192.168.11.0 – take 255 . 255 . 255 . 255 and subtract the subnet mask 255 . 255 . 254 .0 – The result is 0.0.1. 255 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 34 Cisco Thai Nguyen Networking Academy Wildcard Bit Mask Keywords The keywords host and any help identify the most common uses of wildcard masking The. .. Subnets The first example the wildcard mask stipulates that every bit in the IP 192.168.1.1must match exactly – The wildcard mask is 0.0.0.0 In the second example, the wildcard mask stipulates that anything will match – The wildcard mask is 255 . 255 . 255 . 255 In the third example, the wildcard mask stipulates that it will match any host within the 192.168.1.0 /24 network – The wildcard mask is 0.0.0. 255 The. .. host option substitutes for the 0.0.0.0 mask This mask states that all IP address bits must match or only one host is matched The any option substitutes for the IP address and 255 . 255 . 255 . 255 mask •This mask says to ignore the entire IP address or to accept any addresses Example for keyword any: – Instead of entering •R1(config)# access-list 1 permit 0.0.0.0 255 . 255 . 255 . 255 , – you can use •R1(config)#... permit 192.168.19.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.20.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.21.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.22.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.23.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.24.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168. 25. 0 0.0.0. 255 – R1(config)# access-list... allowed ITE 1 Chapter 6 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 27 Cisco Thai Nguyen Networking Academy Standard ACL Logic In the figure, packets that come in Fa0/0 are checked for their source addresses: –access-list 2 deny 192.168.10.1 –access-list 2 permit 192.168.10.0 0.0.0. 255 –access-list 2 deny 192.168.0.0 0.0. 255 . 255 –access-list 2 permit 192.0.0.0 0. 255 . 255 . 255 If packets... 192.168.26.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.27.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.28.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.29.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.30.0 0.0.0. 255 – R1(config)# access-list 10 permit 192.168.31.0 0.0.0. 255 You can see that configuring the following wildcard mask makes it far more efficient: – R1(config)#... 0.0. 15. 255 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc All rights reserved Cisco Public 33 Cisco Thai Nguyen Networking Academy ACL Wildcard Masks to Match IP Subnets Calculating wildcard masks can be difficult, but you can do it easily by subtracting the subnet mask from 255 . 255 . 255 . 255 Example 1: assume you wanted to permit access to all users in the 192.168.3.0 network – Because the subnet mask is 255 . 255 . 255 .0,... interface, the router checks the routing table to see if the packet is routable –If the packet is not routable, it is dropped Next, the router checks to see whether the outbound interface is grouped to an ACL If the outbound interface is not grouped to an ACL, The packet is sent directly to the outbound interface If the outbound interface is grouped to an ACL, the packet is not sent out on the outbound... interface, the router checks the destination Layer 2 address If the frame is accepted and the router checks for an ACL on the inbound interface If an ACL exists, the packet is now tested against the statements in the list – If the packet matches a statement, the packet is either accepted or rejected If the packet is accepted in the interface, it is then checked against routing table entries to determine the . checks whether the destination interface has an ACL. – If an ACL exists, the packet is tested against the statements in the list.  If there is no ACL or the packet is accepted, the packet. outbound interface, the router checks the routing table to see if the packet is routable. –If the packet is not routable, it is dropped.  Next, the router checks to see whether the outbound interface. If the outbound interface is not grouped to an ACL, The packet is sent directly to the outbound interface.  If the outbound interface is grouped to an ACL, the packet is not sent out on the