ACLs - Access Control Lists
What are the four interface options for ACLs?
1. Have no ACL applied 2. An inbound ACL only 3. An outbound ACL only 4. ACLs in both directions.
You make the following ACL by entering access-list 100 deny tcp any any eq 23. Now, what do you enter to apply it to interface fa1/0 and make it outbound?
1. interface fa1/0 2. ip access-group 100 out
ACEs are automatically numbered in increments of _______.
10. This leaves room so you can insert other ACEs into the ACL.
You need to inject an ACE into an ACL (110), so you've entered ip access-list extended 110. You need to insert it between 10 and 20 that already exist, so you are going to use 15 as the ACE. You need to deny 10.10.10.11 being able to telnet to 10.10.50.10, over tcp. What command do you enter?
15 deny tcp host 10.10.10.11 host 10.10.50.10 eq telnet
Modern versions of Windows use source port numbers equal or greater to what number? Older versions of windows was 1024.
49151
Aside from ACLs being used as a security feature, what other use do they serve?
ACLs are also used for software policies when traffic has to be indentified e.g. QoS policy or NAT policy.
You can have both an inbound and an outbound ACL on the same interface, using either 2 inbound or 2 outbound ACLs.
False. You can have both inbound and an outbound ACL on the same interface, but not 2 inbound or outbound ACLs.
ACLs cannot be applied in the inbound and outbound direction
False. ACLs can be applied in the inbound or outbound direction.
An Access Control List security policy is not a packet filter.
False. An Access Control List security policy is a packet filter.
An ACL is read by the router from bottom to top.
False. It's read from top to bottom.
When you configure an ACL, you do not want to secure it as close to the source as possible.
False. When you create an ACL, you want to secure it to the source as close as possible so the traffic isn't going over any part of the network that it doesn't need to.
You can have multiple ACLs per interface and direction.
False. You can only have 1 ACL per interface, per direction.
ACLs do not apply to traffic that comes from the router itself.
If there are hosts left of R1 off F0/0 and you make an ACL on R1's F1/0 going out the other side that deny's telnet traffic to R2 (on R1's right), R1 will still be able telnet. The reason is because ACLs do not apply to traffic that comes from the router itself.
Remove ACL 100 IN on interface fa1/0
Interface fa1/0 no ip access-group 100 in Note: this ACL still exist, it's just not applied to interface fa1/0
What is this ACL doing? Is it standard or extended? access-list 1 deny 10.10.10.10 0.0.0.0 access-list 1 permit 10.10.10.0 0.0.0.255
It's denying 10.10.10.10 but allowing everything else.
What ACL command uses IP access-list?
Named ACL. A number ACL access list command uses access-list ### Instead of using numbers, can use a name.
Can ACLs be applied aside from an interface level with the Access-Group command?
No.
Do Stateful Firewalls and Packet Filters both maintain a connection table?
No. Only stateful firewalls do. Packet filters (ACLs) do not maintain a connection table like a stateful firewall.
Do Packet Filters track the state of two way connections going through the router?
No. They affect traffic in one direction only and do not track the state of the two way connections going through the router.
What action is different between these two ACE's? 1. access-list 100 permit tcp 10.10.10.10 0.0.0.0 2. access-list 100 permit tcp host 10.10.10.10
Nothing
What action is different between these two ACE's? 1. access-list 100 permit tcp 0.0.0.0 255.255.255.255 2. access-list 100 permit tcp any
Nothing. They do the same thing.
Access Control Lists are made up of Access Control Entries which are a series of _________ or _________ rules.
Permit or Deny
What command shows you all your ACLs and their contents?
Show access list
What is the difference between a standard ACL and an Extended ACL?
Standard ACLs reference the source address only. Range 1-99, 1300-1999 Extended ACLs check based on the protocol, source address, destination address and port number. Range 100-199, 2000-2699
What are the three types of ACLS?
Standard, Extended and Named
What kind of ACL is this: 99 ?
Standard. Standard ACL range is 1-99, 1300-1999 Extended ACL range is 100-199, 2000-2699
What is a stateful firewall?
Stateful firewalls maintain a connection table which tracks the two-way 'state' of traffic passing through the firewall. Maintains a state table that allows the firewall to compare current packets to previous ones to determine if the traffic is legitimate. These are often slower but more secure than packet filtering firewalls
What does the established keyword do in this command? access-list 100 permit tcp any eq 80 10.10.10.0 0.0.0.255 established
The established keyword in an ACL only checks for the 'Ack' flag in return traffic. This does not make the router a stateful firewall and it still does not keep a connection table. It's not looking for a matching connection, like a connection table does on a stateful firewall. This can easily be spoofed by an attacker because anyone can create an "ack" packet back to organization.
If the following ACL is applied, what is the effect? access-list 1 permit 10.10.10.0 0.0.0.255
There is an implicit 'deny any any' rule at the bottom of ACLs. If an ACL is applied, all traffic is denied except what is explicitly allowed. Traffic from 10.10.10.0/24 will be permitted, everything else is denied.
What do the following ACLs do? access-list 1 permit 10.10.10.0 0.0.0.255 access-list 1 deny any log
This is an explicit deny all entry at the bottom. Logs any illegal traffic that doesn't pertain to 10.10.10.0 /24
What will happen to 10.10.10.10 with these ACE's? 1. access-list 1 deny 10.10.10.10 2. access-list 1 permit 10.10.10.0 0.0.0.255
This will deny 10.10.10.10 but permit the rest of the 10.10.10.0/24 subnet ACLs work from top down, so the first will take precedence.
What will happen to 10.10.10.10 with these ACE's? 1. access-list 1 permit 10.10.10.0 0.0.0.255 2. access-list 1 deny host 10.10.10.10
This will permit all of the 10.10.10.0/24 subnet including 10.10.10.10 The most specific ACLs need to be at the top and the least specific at the bottom.
An Access Control List is made up of multiple Access Control Entries.
True
As soon as a rule matches the packet, the permit or deny action is applied and the ACL is not processed any further.
True
If a packet matches a rule, it stops process the ACL.
True
You can have a maximum of one ACL per interface per direction.
True
Is return traffic permited by default on a stateful firewall?
Yes
With packet filtering, if you have an ACL applied on the way out only, will return traffic be allowed back in?
Yes. All traffic is allowed when an ACL is not applied. If you have ACLs applied in both directions, you will need explicit entries to allow both the outbound and the return traffic because the router doesn't have a connection table to track this connection. You will need an explicit ACL for outbound and inbound traffic.
If a Stateful Firewall has "deny all traffic from outside to inside", but a client on the inside sends traffic to a server on the outside, and the server on the outside responds back to the computer client inside, will this be permitted?
Yes. It is permitted because it is valid return traffic for a connection in the connection table. This overrides the "Deny all traffic from outside to inside" rule.
Can you configure a router as a stateful firewall with an IOS feature set?
Yes. Once enabled, it does make your router act as a stateful firewall.
You have ACL beginning with access-list 1 deny 10.10.10.0 0.0.0.255. What would you need to enter to explicityly permit all other traffic?
access-list 1 permit any
What command creates an ACE entry for ACL 100 to deny 10.10.10.0 /24 to 10.10.50.0 /24 network?
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.50.0
What command creates an ACE entry to ACL 100 to block tcp from 10.10.10.0 /24 to 10.10.50.0 /24 on port 80?
access-list 100 deny tcp 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255 eq 80
Using ACL 100, create an ACE that denies tcp on host 10.10.10.10 to the 10.10.20.0 /24 network using http and log this.
access-list 100 deny tcp host 10.10.10.10 10.10.20.0 0.0.0.255 eq www log
You need to create an ACL (it's extended so use 100) that permits 10.0.1.10 to telnet to 10.0.0.2. Additionally, you need another ACE in the ACL that denies 10.0.1.0 /24 to 10.0.0.2 over telnet. You want to also allow all over traffic. Apply this ACL to interface fa1/0 going iN What commands do you enter?
access-list 100 permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet access-list 100 deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet access-list 100 permit ip any any interface fa1/0 ip access-group 100 in The order is important because if you put the second ACE first, it would deny any 10.0.1.x addresses. And ensuring access-list 100 permit ip any any is in place because it will allow all other traffic because of the implicit deny any any at the bottom.
What three ACL actions are there?
deny, permit and remark
You need to inject an ACE into ACL 110, what command do you enter to do this first? You are in Global Configuration mode.
ip access-list extended 110
Created a named extended ACL called F1/0_IN
ip access-list extended F1/0_in
You have a named ACL that is extended called F1/0_IN, you are in config-ext-nacl for this ACL. Configure the ACL so that 10.0.1.10 can connect to 10.0.0.2 over telnet. Deny all other 10.0.1.0 /24 from accessing 10.0.0.2 over telnet. Deny anything else besides 10.0.1.0 /24 from accessing 10.0.0.2 via telnet. You need to allow 10.0.1.11 to be able to ping 10.0.0.2 and deny for everyone else on 10.0.1.0 /24 You want to allow all other traffic. Apply this ACL to fa1/0
permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet deny tcp any host 10.0.0.2 eq telnet permit icmp host 10.0.1.11 host 10.0.0.2 echo deny icmp 10.0.1.0 0.0.0.255 host 10.0.0.2 echo permit ip any any ip access-group F1/0_in in
What command shows you Access List 100 info?
show access-list 100