IP ACCESS CONTROL LIST SECURITY

IP ACCESS CONTROL LIST SECURITY

Notes:

ACLs configure in the Global Access Mode

Upto 2 ACLs permit interface one affecting incoming traffic (in- inbound direction)&

another one outgoing traffic (out- outbound direction).

ACLs use Wild card Masks.

ACLs run from TOP to BOTTOM and stop on match.

This below 2lines always the last line of any ACLs:

Permit any statement in your standard ACLs.

Permit IP any any in your extended ACLS as the last line.

Access List Numbers

Standard ACLs – 1 – 99 and 1300 – 1999

Match on Source IP address only

  

Extended ACLs 100- 199 and 2000- 2699

 Match of Source and destination ip

  Line to be match both source and destination source port, destination port,

protocol type.

keywords:

 any  0.0.0.0 255.255.255.255 (all )

 host  192.16.10.1 (only specific host)

  

IP ACCESS CONTROL LIST SECURITY

Write your ACLs in notepad and cut and past into the router.

Remark command use either before or after permit or deny statement.

R1(Config)#access-list 100 Permit tcp 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255

eq 80 established

Established keyword will work only for TCP

Creating Named ACLs 

Named ACLs can be standard or extended ACLs.

No nemeric range……

Sequence numbers start at 10 and increment by 10 for each line.

 Sequence number are chanded on a router reload to reflect the increment by 10

Sequence no in ACLs: 10. 20 25 30…

 After reload router 

 Sequence no : 10. 20 30 40 (Automatically change in the ACLS after reload the router).

 Sequence no your cannot see show-running-config or show startup-config

Sequence numbers are used to allow for easier editing of your ACLs.

 sequence number argument was added cisco IOS software 12.2(14)S 

integrated into cisco IOS software release 12.2 (15)T

  

When restricting access through Telnet use the access-class command rather then

access-group command….

 Applying an ACL to a physical interface (vty 0 4). – all 5 vty virtual interfaces.

IP ACCESS CONTROL LIST SECURITY

Wildcard Masks

 Wild card Masks identifies which address get matched to be applied to the permit

or deny argumnet in an ACLs statement.

0 -  Means Exact Match

1 – Means Ignor

            Example: 

    192.16.0.0      0.0.255.255

            

     192.16 – exact match because wildcard masks  0 ( exact match)

          0 .0   255.255

    192.16.0.0  0.0.255.255 (1 – ignor - any)

   192.16.0.0 –192.16.255.255 

  Example : 2

           

                   192.168.8.0   0.0.7.255

 192.16.8.0 – 192.16.15.255

keywords:

 any  0.0.0.0 255.255.255.255 (all )

 host  192.16.10.1 (only specific host)

IP ACCESS CONTROL LIST SECURITY

Access List Numbers

 Standard ACLs – 1 – 99 and 1300 – 1999

 Match on Source IP address only

 Permit 172.16.10.1

 Allow 172.16.10.0 /24

Example:1 

Acces-list 10 permit 172.16.0.0 0.0.255.255

 Access-list          10                           permit              172.16.0.0           0.0.255.255

ACLs cmd  StandardACLs no.  AllowPackets            Source Ip  Wildcard Masks

Example: 2

Access-list 10 deny 172.16.1.1 0.0.0.0

Or 

Access-list 10 deny host 172.16.1.1

 Access-list         10                  deny                    172.16.1.1          0.0.0.0

ACLs cmd                Dropped or Discard   Specific  Host IP  Wildcard Masks

  

Access-list          10                  deny                          host              172.16.1.1 

ACLs cmd                   Dropped or Discard            Keywords      Specific Host IP

Example: 3

 Access-list 10 permit any

Access-list          10                          permit                            any

ACLs cmd      StandardACLs no.  allowPackets             all Ip address

Standard Access-List Configuration:

R1(config)# access-list  10 deny 172.16.1.1 0.0.0.0

R1(config)# access-list  10  Permit 172.16.1.10 0.0.0.255

R1(config)# interface fastethernet 0/0 

R1(config-if)# IP access-group  10 in

IP ACCESS CONTROL LIST SECURITY

Verifying ACLs

R1#show ip interface

          (ACLs Applied to that interface)

R1#show Access-lists

          (All contents of all ACLs on the router)

R1#show access-list access-list-number

            (The contents of the ACLs by the number specified)

R1#show access-list name

(The contents of the ACLs by the name specified)

R1# show run 

(Displays all ACLs and Interface assignments)

Removing ACLs:

R1(config)# no access-list 10

  (Removes all ACLs numbered 10).

Extended ACLs – 100 – 199 and 2000 –2699

  Match of Source and destination ip

  Line to be match both source and destination source port, destination port,

protocol type.

         R1(Config)# access-list 110 permit tcp 172.16.0.0 0.0.255.255 192.168.100.0

0.0.0.255 eq 80

110 – extended

tcp – protocol

172.16.0.0 – source ip

0.0.255.255 –wildcard mask

192.168.100.0 – destination ip

0.0.0.255 – wildcard mask

eq  - equal to

80 – port 80  indicating http traffic

   

IP ACCESS CONTROL LIST SECURITY

R1(Config)#access-list 110 deny tcp  any 192.168.100.7 0.0.0.0 eq 23

Prevent the traffice destination from the web

R1(Config)#access-list 100 remark prevent-traffic-web

R1(Config)#access-list 100 deny tcp any any eq 80 or eq www

R1(Config)#access-list 100 permit ip any any

R1(Config)#interface fastethernet o

R1(Config-if)#ip access-group 100 out

R1(Config)#access-list 100 Permit tcp 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255

eq 80 established

 Established keyword will work only for TCP

  

Creating Named ACLs 

Named ACLs can be standard or extended ACLs.

No nemeric range…… 

  

R1(Config)# IP access-list extended serveraccess

IP access-list           extended                                   serveraccess

(ACLs cmd)      (extended or standard)              (name of the ACLs)

R1(Config-ext-nacl)#permit tcp any host 132.100.101.99 eq smtp

R1(Config-ext-nacl)#permit udp any host 131.108.101 99 eq domain

R1(config-ext-nacl)#deny tcp any any log

R1(Config-ext-nacl)#exit

R1(Config)#interface fastethernet 0/0

R1(Config)# ip access-group serveracess out

IP ACCESS CONTROL LIST SECURITY

Sequence Numbers in Named ACLs

R1(Config)# IP access-list extended serveraccess2

R1(Config-ext-nacl)#10 permit tcp any host 132.100.101.99 eq smtp

R1(Config-ext-nacl)#20 permit udp any host 131.108.101 99 eq domain

R1(config-ext-nacl)#30 deny tcp any any log

R1(Config-ext-nacl)#exit

R1(Config)#interface fastethernet 0/0

R1(Config)# ip access-group serveracess out

Add new ACLs in old ACLS

R1(Config)#ip access-list extended serveraccess2

R1(Config-ext-nacl)#25 permit tcp any host 192.100.101.99 eq ftp

R1(Config-ext-nacl)#exit

Sequence numbers are used to allow for easier editing of your ACLs.

Used numbers 10 20 and 30in the acl line. If you had needed to add another line to this 

acl . u can add between 20-30 just mention 25

Note:

Sequence numbers start at 10 and increment by 10 for each line.

Sequence number are chanded on a router reload to reflect the increment by 10 

Example:

Sequence no in ACLs: 10. 20 25 30…

After reload router 

Sequence no : 10. 20 30 40 (Automatically change in the ACLS after reload the

router).

IP ACCESS CONTROL LIST SECURITY

Sequence no your cannot see show-running-config or show startup-config

  

sequence number argument was added cisco IOS software 12.2(14)S 

integrated into cisco IOS software release 12.2 (15)T

  

Removing specific Lines in named ACLs using sequence numbers

R1(Config)#ip access-list extended serveraccess2

R1(Config-ext-nacl)# no 20

R1(Config-ext-nacl)#exit

R1(Config)#show access-lists

R1(Config)#show acess-lists list name

R1(Config)#show ip access-list

R1(Config)#show ip access-list list name

  

Including Comments about entries in ACLs

Remark command use either before or after permit or deny statement.

R1(Config)#Access-list 10 remark only suresh has access

R1(Config)#access-list 10 permit host 172.16.100.199

Restricting Virtual Terminal Access:

 R1(Config)#access-list 2 permit host 10.2.1.2

R1(Config)#access-list 2 permit 17216.20.0 0.0.0.255

R1(Config)#line vty 0 4

R1(Config-line)#password cisco

R1(Config-line)#access-class 2 in

When restricting access through Telnet use the access-class command rather then access-

group command….

Applying an ACL to a physical interface (vty 0 4). – all 5 vty virtual interfaces.

What is Object Groups in ASA and Use?

Object Grouping allows objects such sa ip hosts, networks, protocols, ports, and ICMP types to be collected into object groups. Once configured object group  you can used with ACCESS List or Conduit.

In order to reference all objects within that group. This is reduce the configuration size.

You cannot rename the object group. You need to delete them and apply them again with the changes.

Once the access list is created with object group, it must be applied to the interface with the access-roup command

How will you Trouble shooting of object group?

Show running-config object-group –show currently defined ACL

Show access-list no. – it will show each object access list defined.

Clear object-group Grp-type – When you enter without parameter (grp-type). Command clear all defined object group (entire object group). So while entering clear object group command must watch grp-type is must.