Chapter 12
The following output displays a good example of the many access-list number ranges that you can use to filter traffic on your network. The IOS version delimits the protocols you can specify access for: Corp(config)#access-list ? <___> IP ___access list <___> IP extended access list <___> IP standard access list (expanded range) <___> IP extended access list (expanded range)
1-99, 100-199, 1300-1999, 2000-2699
You create a standard IP access list by using the access-list numbers ___or in the expanded range of ___because the type of ACL is generally differentiated using a number.
1-99, 1300-1999
We're going to take a look at the commands we have in our arsenal, but first, you need to know that you must use the extended access-list range from___. The 2000-2699 range is also available for extended IP access lists.
100 to 199
If you used a block size of 16, the wildcard would be ___
15.
Corp(config)#access-list 10 deny host ? Here's an example of how a /24 subnet is specified with a wildcard mask:
172.16.30.0 0.0.0.255
Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any Remember that instead of the host 172.16.50.5 command when we created the extended access list, we could have entered
172.16.50.5 0.0.0.0. There would be no difference in the result other than the router would change the command to host 172.16.50.5 in the running-config.
Let's say that you want to block access to the part of the network that ranges from 172.16.8.0 through 172.16.15.0. Your network number would be ___, and the wildcard would be ___
172.16.8.0, 0.0.7.255
Let's say that you want to block access to the part of the network that ranges from 172.16.8.0 through 172.16.15.0. To do that, you would go with a block size of
8,
___is essentially a list of conditions that categorize packets, and they really come in handy when you need to exercise control over network traffic.
An access list
Write an access list wildcard command that begins at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.255.
Corp(config)#access-list 10 deny 172.16.32.0 0.0.15.255
Write an access list wildcard command that starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.255.
Corp(config)#access-list 10 deny 172.16.64.0 0.0.63.255
Write an access list wildcard command that begins at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255.
Corp(config)#access-list 10 deny 192.168.160.0 0.0.31.255
Here's a list of rules to live by when configuring ACLs from the Internet to your production network to mitigate security problems:
Deny any source addresses from your internal networks, local host addresses (127.0.0.0/8), reserved private addresses, addresses in the IP multicast address range (224.0.0.0/4).
What are Extended access lists
Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the Protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.
Here's a list of the many security threats you can mitigate with ACLs:
IP address spoofing, inbound IP address spoofing, outbound Denial of service (DoS) TCP SYN attacks, blocking external attacks DoS TCP SYN attacks, using TCP Intercept, DoS smurf attacks Denying/filtering ICMP messages, inbound Denying/Filtering ICMP messages, outbound Denying/Filtering Traceroute
Lab_A(config)#access-list 10 permit any It's very important to remember that the any command is the same thing as saying the following using wildcard masking:
Lab_A(config)#access-list 10 permit 0.0.0.0 255.255.255.255
Can you have multiple access lists applied on the same interface in the same direction for the same protocol?
Naw.
Lab_A(config)#access-list 110 permit tcp host 192.168.177.2 host 172.22.89.26 eq 80 Lab_A(config)#access-list 110 deny tcp any host 172.22.89.26 eq 80 Lab_A(config)#access-list 110 permit ip any any What does this command say
Permit 192.168.etc HTTP access to 172.22.etc. But since all other traffic must be allowed, we must detail who cannot HTTP to 172.22.etc, so the second test statement is there to deny anyone else from using HTTP on 172.22.etc. Finally, now that Host B can HTTP to the Finance server and everyone else can't, we'll permit all other traffic with our third test statement.
Command used to Display all acls and their parameters
Router#Show access-list
Command used to Display only specific acl parameters
Router#Show access-list 110
Command used to Display only ip acls
Router#Show ip access-list
Command used to Show which interfaces have acls on them
Router#Show ip int
Command used to Show acls and specific interfaces that have them
Router#Show run
I've specified a standard access list, then added the name, BlockSales. I definitely could've used a number for a standard access list, but instead, I chose to use a nice, clear descriptive name. And notice that after entering the name, I hit Enter and the router prompt changed to
Router(config-std-nacl)# This confirms that I'm now in named access list configuration mode and that I'm entering the named access list
If you want to filter by Application layer protocol, you have to choose the appropriate layer 4 transport protocol after the permit or deny statement. For example, to filter Telnet or FTP, choose ___since both Telnet and FTP use ___at the Transport layer. Selecting IP wouldn't allow you to specify a particular application protocol later and only filter based on source and destination addresses.
TCP
Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Here are the key factors to understand from this list: You must verify that the protocol field matches the upper-layer process or application, which in this case, is
TCP port 23 (Telnet). The protocol parameter must be TCP since Telnet uses TCP. If it were TFTP instead, then the protocol parameter would have to be UDP because TFTP uses UDP at the Transport layer
Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any The tcp is the protocol field in the Network layer header. If the list doesn't say tcp here, you cannot filter by ___as shown in the example.
TCP port numbers 21 and 23
What are Named access lists
Technically there really are only two since named access lists are either standard or extended and not actually a distinct type. I'm just distinguishing them because they're created and referred to differently than standard and extended access lists are, but they're still functionally the same.
___can be global (real) Internet addresses or private addresses, depending on how you configure your firewall, but this is typically where you'll find the HTTP, DNS, email, and other Internet-type corporate servers.
The demilitarized zone (DMZ)
Remember the standard and extended IP access-list number ranges.
The number ranges you can use to configure a standard IP access list are 1-99 and 1300-1999. The number ranges for an extended IP access list are 100-199 and 2000-2699.
What are Standard access lists
These ACLs use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don't distinguish between any of the many types of IP traffic such as Web, Telnet, UDP, and so on.
Try to figure out this next line: Corp(config)#access-list 10 deny 172.16.16.0 0.0.3.255
This configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.255, and by the way, the Cisco objectives seem to really like this one!
What about this next one? Corp(config)#access-list 10 deny 172.16.16.0 0.0.7.255
This example reveals an access list starting at 172.16.16.0 going up a block size of 8 to 172.16.23.255.
Corp(config)#access-list 10 deny host 172.16.30.5 0.0.0.255 What does the 255 mean?
To specify that an octet can be any value, use the value 255.
Corp(config)#access-list 110 permit ip any any The IP in this line is important because it will permit the IP stack. If TCP was used instead of IP in this line, then___, etc. would all be denied.
UDP
Whats the difference between an inbound and an outbound access list?
When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won't be routed because they're discarded before the routing process is invoked. When an access list is applied to outbound packets on an interface, packets are routed to the outbound interface and then processed through the access list before being queued.
Should You Secure Your VTY Lines on a Router? You're monitoring your network and notice that someone has telnetted into your core router by using the show users command. You use the disconnect command and they're disconnected from the router, but you notice that they're right back in there a few minutes later. You consider putting an ACL on the router interfaces, but you don't want to add latency on each interface since your router is already pushing a lot of packets. At this point, you think about putting an access list on the VTY lines themselves, but not having done this before, you're not sure if this is a safe alternative to putting an ACL on each interface. Would placing an ACL on the VTY lines be a good idea for this network?
Yes—absolutely! And the access-class command covered in this chapter is the way to do it. Why? Because it doesn't use an access list that just sits on an interface looking at every packet, resulting in unnecessary overhead and latency.
Can you remove one line from an access list?
You can't remove one line from an access list. If you try to do this, you will remove the entire list. This is why it's best to copy the access list to a text editor before trying to edit the list.
Can you remove one line from a named access list?
You can't remove one line from an access list. If you try to do this, you will remove the entire list. This is why it's best to copy the access list to a text editor before trying to edit the list. The only exception is when you're using named access lists. You can edit, add, or delete a single line from a named access list.
In Appendix C, "Disabling and Configuring Network Services," I'll show you how to mitigate most security-oriented network threats. Make sure you don't skip this appendix because it is chock full of great security information, and the information it contains is part of the Cisco exam objectives as well!
___
Applying a standard IP access list won't allow users to get to one network service but not another because
a standard ACL won't allow you to make decisions based on both source and destination addresses.
___give network managers a huge amount of control over traffic flow throughout the enterprise. With access lists, we can gather basic statistics on packet flow and security policies can be implemented. These dynamic tools also enable us to protect sensitive devices from the dangers of unauthorized access.
access lists
You see this a lot—typically, in medium to large enterprise networks—the various strategies for security are based on some mix of internal and perimeter routers plus firewall devices. Internal routers provide additional security by screening traffic to various parts of the protected corporate network, and they achieve this using
access lists.
To get this going for both standard and extended ACLs, just use the ___global configuration command.
access-list access-list number remark remark
Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any This ACL says that
all IP traffic will be permitted from any host except FTP and Telnet to host 172.16.50.5 from any source.
Trying to stop users from telnetting or trying to SSH to a router is really challenging because
any active interface on a router is fair game for VTY/SSH access.
Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any The any command is the source, which means
any source IP address
Once you create an access list, it's not really going to do anything until you
apply it to an interface.
Wildcards are used with access lists to specify an individual host, a network, or a specific range of a network or networks. The ___you learned about earlier used to specify a range of addresses are key to understanding wildcards.
block sizes
Anytime a new entry is added to the access list, it will be placed at the ___of the list, which is why I highly recommend using a text editor for access lists.
bottom
This means every list should have at least one permit statement or it will
deny all traffic.
Corp(config)#access-list 10 deny host ? Hostname or A.B.C.D Host address Corp(config)#access-list 10 deny host 172.16.30.2 This tells the list to
deny any packets from host 172.16.30.2.
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log This line says to
deny any source host trying to telnet to destination host 172.16.30.2. Keep in mind that the next line is an implicit deny by default. If you apply this access list to an interface, you might as well just shut the interface down because by default, there's an implicit deny all at the end of every access list.
Place IP standard access lists as close to the ___as possible.
destination
Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any The host is the
destination IP address.
You've got to specify which ___of traffic you want the access list applied to.
direction
Creating an extended IP ACL that limits access to every IP address on the router may sound like a solution, but if you did that, you'd have to apply it inbound on
every interface, which really wouldn't scale well if you happen to have dozens, even hundreds, of interfaces, now would it? And think of all the latency dragging down your network as a result of each and every router checking every packet just in case the packet was trying to access your VTY lines—horrible!
Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any The access-list 110 tells the router we're creating an ___IP ACL.
extended
An ___is just what we need to effectively allow users access to a physical LAN while denying them access to specific hosts—even specific services on those hosts!
extended ACL
Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Here are the key factors to understand from this list: First, you need to verify that the number range is correct for the type of access list you are creating. In this example, it's___, so the range must be ___
extended, 100-199.
Since extended access lists can filter on very specific addresses and protocols, you don't want your traffic to traverse the entire network just to be denied. By placing this list as close to the source address as possible, you can
filter traffic before it uses up precious bandwidth.
One of the most common and easiest-to-understand uses of access lists is to
filter unwanted packets when implementing security policies. For example, you can set them up to make very specific decisions about regulating traffic patterns so that they'll allow only certain hosts to access web resources on the Internet while restricting others.
There is an implicit "deny" at the end of each access list—this means that
if a packet doesn't match the condition on any of the lines in the access list, the packet will be discarded.
Corp(config)#access-list 10 deny host ? Hostname or A.B.C.D Host address Corp(config)#access-list 10 deny host 172.16.30.2 The default parameter is host. In other words,
if you type access-list 10 deny 172.16.30.2, the router assumes you mean host 172.16.30.2 and that's exactly how it will show in your running-config.
But where named ACLs really shine is that they allow us to
insert, delete, or edit a single line.
You can assign only one access list per ___per ___per___.
interface, protocol, direction
Although ACLs can help with a DDoS, you really need an ___and ___to help prevent these common attacks. Cisco sells the Adaptive Security Appliance (ASA), which has IDS/IPS modules, but lots of other companies sell IDS/IPS products too.
intrusion detection system (IDS) and intrusion prevention system (IPS)
Notice that I started by typing___, not access-list. Doing this allows me to enter a named access list.
ip access-list
Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Here are the key factors to understand from this list: The test statement permit ip any any is important to have there at the end of the list because
it means to enable all packets other than Telnet packets destined for the LANs connected to Ethernet 1 and Ethernet 2.
The log command is used to
log messages every time the access list entry is hit
To specify a host, the address would look like this: Corp(config)#access-list 10 deny host 172.16.30.5 0.0.0.0 Whenever a zero is present, it indicates that octet in the address must ___the corresponding reference octet exactly.
match
To our collective relief, ___allow us to use names for creating and applying either standard or extended access lists.
named access lists
Any access list applied to an interface without access-list test statements present will___
not filter traffic.
Based on the ___used when the access list is created, the router knows which type of syntax to expect as the list is entered.
number
Access-list statements are basically ___that packets are compared against, categorized by, and acted upon accordingly.
packet filters
A handy way to make managing ACL's easier is to copy the access list to a text editor, edit the list, then
paste the new list back into the router
Unless your access list ends with a ___command, all packets will be discarded if they do not meet any of the list's tests.
permit any
Even though you have the option of placing your remarks either before or after a ___or ___statement, I totally recommend that you choose to position them consistently so you don't get confused about which remark is relevant to a specific permit or deny statement.
permit or deny
Once you've chosen the access-list number, you need to decide whether you're creating a ___or ___statement.
permit or deny
Corp(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address The next step is more detailed because there are three options available in it: 1. The first option is the any parameter is used to
permit or deny any source host or network.
Second, notice that even though I entered actual numbers for TCP ports in access list 110, the show command gives us the ___rather than TCP ports for serious clarity.
protocol names
The ___keyword is really important because it arms you with the ability to include comments—___—regarding the entries you've made in both your IP standard and extended ACLs. ___are very cool because they efficiently increase your ability to examine and understand your ACLs to superhero level!
remarks
Lab_A#show access-list Standard IP access list 10 10 deny 172.16.40.0, wildcard bits 0.0.0.255 20 permit any Standard IP access list BlockSales 10 deny 172.16.40.0, wildcard bits 0.0.0.255 20 permit any Extended IP access list 110 10 deny tcp any host 172.16.30.5 eq ftp 20 deny tcp any host 172.16.30.5 eq telnet 30 permit ip any any 40 permit tcp host 192.168.177.2 host 172.22.89.26 eq www 50 deny tcp any host 172.22.89.26 eq www The best part is those numbers on the left side: 10, 20, 30, etc. Those are called___, and they allow us to edit our named ACL.
sequence numbers
The packet is always compared with each line of the access list in ___order—it will always start with the first line of the access list, move on to line 2, then line 3, and so on.
sequential
By using numbers 1-99 or 1300-1999, you're telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the ___IP address in the test lines.
source
Place IP extended access lists as close to the ___as possible.
source
It's generally a bad idea to allow any external IP packets that contain the ___of any internal hosts into a private network.
source address
Organize your access lists so that the more ___tests are at the top.
specific
Corp(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address The next step is more detailed because there are three options available in it: 3. The last option is to use the host command to
specify a specific host only.
Corp(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address The next step is more detailed because there are three options available in it: 2. The second choice is to use an IP address to
specify either a single host or a range of them.
I'm guessing that named ACLs don't seem all that exciting or different to you, do they? Maybe not in this configuration, except that I don't need to
start every line with access-list 110, which is nice.
Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Here are the key factors to understand from this list: Verify that the destination port number matches the application you're filtering for. In this case, port 23 matches Telnet, which is correct, but know that you can also type ___at the end of the line instead of 23.
telnet
When you put the access-class in command on the VTY lines, only packets trying to
telnet into the router will be checked and compared, providing easy-to-configure yet solid security for your router!
Lab_A(config)#access-list 50 permit host 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in Because of the implied deny any at the end of the list, the ACL stops any host from ___
telnetting into the router except the host 172.16.10.3, regardless of the individual IP address on the router being used as a target.
Employ a standard IP access list to control access to the VTY lines themselves to stop users from
telnetting or trying to SSH to a router .
The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list___
the packet is acted upon and no further comparisons take place.
Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from
the router.
Employ a standard IP access list to control access to the VTY lines themselves to stop users from telnetting or trying to SSH to a router. Why does this work so well? Because
when you apply an access list to the VTY lines, you don't need to specify the protocol since access to the VTY already implies terminal access via the Telnet or SSH protocols. You also don't need to specify a destination address because it really doesn't matter which interface address the user used as a target for the Telnet session. All you really need control of is where the user is coming from, which is betrayed by their source IP address.
Corp(config)#access-list 10 deny host 172.16.30.2 To specify any range of hosts, you must use ___in the access list.
wildcard masking
This is the reason we don't really want to use standard access lists in our networks. You can't put a standard access list close to the source host or network because
you can only filter based on source address and all destinations would be affected as a result.