Difference between revisions of "Access-list Cisco IOS"

From Teknologisk videncenter
Jump to: navigation, search
m (CBAC - Context Based Access Control)
m (Extended IP access lists)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Cisco Access-list acl
+
Cisco Access-list acl for IPv4 for [[IPv6]] See [[Access-list IPv6 Cisco IOS]]
  
 
= Placement of Access-lists =
 
= Placement of Access-lists =
Line 7: Line 7:
 
Standard IP Access lists are access lists from 1 to 99 and from 1300 to 1999. Standard access list only checks the source IP address.
 
Standard IP Access lists are access lists from 1 to 99 and from 1300 to 1999. Standard access list only checks the source IP address.
 
Example:
 
Example:
<pre>
+
<source lang=cli>
 
interface fastethernet0/0  
 
interface fastethernet0/0  
 
  ip address 10.1.1.1 255.255.255.0  
 
  ip address 10.1.1.1 255.255.255.0  
Line 13: Line 13:
 
!
 
!
 
access-list 1 permit 10.1.1.0 0.0.0.255  
 
access-list 1 permit 10.1.1.0 0.0.0.255  
</pre>
+
</source>
  
 
= Extended IP access lists =
 
= Extended IP access lists =
Extended IP Access lists are access lists from 101 to 199 and 2000 to 2699. Extende access list can check source and destination IP address and protocol specific information. (IP, TCP, UDP, ICMP)
+
Extended IP Access lists are access lists from 100 to 199 and 2000 to 2699. Extende access list can check source and destination IP address and protocol specific information. (IP, TCP, UDP, ICMP)
 
Example:
 
Example:
<pre>
+
<source lang=cli>
 
interface Ethernet0/1  
 
interface Ethernet0/1  
 
  ip address 172.16.1.2 255.255.255.0  
 
  ip address 172.16.1.2 255.255.255.0  
Line 25: Line 25:
 
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo  
 
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo  
 
access-list 101 permit ip any 10.1.1.0 0.0.0.255
 
access-list 101 permit ip any 10.1.1.0 0.0.0.255
</pre>
+
</source>
 +
<!-- Error in this see [[Understand_the_order_of_operations_for_Cisco_IOS#outside-to-inside]]
 
== Example extended access-list ==
 
== Example extended access-list ==
 
Users are on our internal private networks
 
Users are on our internal private networks
Line 34: Line 35:
  
 
The internal computer 192.168.201.1 are the public WEB-server which users on the Internet are allowed to surf. The server uses www (port 80) and secure HTTP (port 443). We also open for UDP port 53 to contact DNS-servers  
 
The internal computer 192.168.201.1 are the public WEB-server which users on the Internet are allowed to surf. The server uses www (port 80) and secure HTTP (port 443). We also open for UDP port 53 to contact DNS-servers  
<pre>
+
<source lang=cli>
 
interface FastEthernet0/1
 
interface FastEthernet0/1
 
  description Outside: Internet connection to ISP
 
  description Outside: Internet connection to ISP
Line 49: Line 50:
 
access-list 138 permit tcp any host 192.168.201.1 eq www
 
access-list 138 permit tcp any host 192.168.201.1 eq www
 
access-list 138 permit tcp any host 192.168.201.1 eq 443
 
access-list 138 permit tcp any host 192.168.201.1 eq 443
</pre>
+
</source>
 +
-->
  
 
= IP named access lists =
 
= IP named access lists =
 
IP named access lists you can give standard and extended access lists names instead of numbers.
 
IP named access lists you can give standard and extended access lists names instead of numbers.
 
Example:
 
Example:
<pre>
+
<source lang=cli>
 
interface Ethernet0/0  
 
interface Ethernet0/0  
 
  ip address 10.1.1.1 255.255.255.0  
 
  ip address 10.1.1.1 255.255.255.0  
Line 61: Line 63:
 
ip access-list extended TELNET-IN  
 
ip access-list extended TELNET-IN  
 
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet  
 
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet  
</pre>
+
</source>
 
= Protecting telnet management =
 
= Protecting telnet management =
 
To protect unauthorized users from accessing the Router you can use a access list.
 
To protect unauthorized users from accessing the Router you can use a access list.
<pre>
+
<source lang=cli>
 
access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq telnet
 
access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq telnet
 
!
 
!
Line 71: Line 73:
 
  password cisco
 
  password cisco
 
  login
 
  login
</pre>
+
</source>
  
 
= Reflexive access lists =
 
= Reflexive access lists =
Line 77: Line 79:
  
 
The following example example permits ICMP traffic to the Router while TCP traffic is only allowed if the Session was started from within.
 
The following example example permits ICMP traffic to the Router while TCP traffic is only allowed if the Session was started from within.
<pre>
+
<source lang=cli>
 
ip reflexive-list timeout 120  
 
ip reflexive-list timeout 120  
 
!     
 
!     
Line 87: Line 89:
 
ip access-list extended TRAFFIC-IN
 
ip access-list extended TRAFFIC-IN
 
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
 
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate tcptraffic
+
evaluate FILTERNAVN
 
!
 
!
 
ip access-list extended TRAFFIC-OUT
 
ip access-list extended TRAFFIC-OUT
 
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255  
 
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255  
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
+
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect FILTERNAVN
</pre>
+
</source>
 +
 
 
= Timebased Access Lists =
 
= Timebased Access Lists =
 
Timebased access lists specifies when a access list is activated. In the following example telnet is allowed monday, wednesday and friday from 08:00 to 17:00.
 
Timebased access lists specifies when a access list is activated. In the following example telnet is allowed monday, wednesday and friday from 08:00 to 17:00.
<pre>
+
<source lang=cli>
 
interface Ethernet0/0  
 
interface Ethernet0/0  
 
  ip address 10.1.1.1 255.255.255.0  
 
  ip address 10.1.1.1 255.255.255.0  
Line 104: Line 107:
 
time-range TELNET-OK  
 
time-range TELNET-OK  
 
periodic Monday Wednesday Friday 8:00 to 17:00
 
periodic Monday Wednesday Friday 8:00 to 17:00
</pre>
+
</source>
  
 
= Commenting access lists =
 
= Commenting access lists =
 
Sometimes its nice to comment your access list.
 
Sometimes its nice to comment your access list.
<pre>
+
<source lang=cli>
 
interface Ethernet0/0  
 
interface Ethernet0/0  
 
  ip address 10.1.1.1 255.255.255.0  
 
  ip address 10.1.1.1 255.255.255.0  
Line 115: Line 118:
 
access-list 101 remark permit_telnet  
 
access-list 101 remark permit_telnet  
 
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
 
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
</pre>
+
</source>
 
= CBAC - Context Based Access Control =
 
= CBAC - Context Based Access Control =
 
CBAC requires that the IOS Firewall feature is installed. CBAC inspects traffic that travels through the firewall in order to discover and manage state information for TCP and UDP sessions. This state information is used in order to create temporary openings in the access lists of the firewall.
 
CBAC requires that the IOS Firewall feature is installed. CBAC inspects traffic that travels through the firewall in order to discover and manage state information for TCP and UDP sessions. This state information is used in order to create temporary openings in the access lists of the firewall.
Line 122: Line 125:
  
 
This is an example of the use of CBAC in order to inspect outbound traffic. Extended ACL 111 normally block the return traffic other than ICMP without CBAC opening holes for the return traffic.
 
This is an example of the use of CBAC in order to inspect outbound traffic. Extended ACL 111 normally block the return traffic other than ICMP without CBAC opening holes for the return traffic.
<pre>
+
<source lang=cli>
 
ip inspect name MYFW ftp timeout 3600  
 
ip inspect name MYFW ftp timeout 3600  
 
ip inspect name MYFW http timeout 3600  
 
ip inspect name MYFW http timeout 3600  
Line 134: Line 137:
 
access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo  
 
access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo  
 
access-list 111 permit icmp any 10.1.1.0 0.0.0.255  
 
access-list 111 permit icmp any 10.1.1.0 0.0.0.255  
</pre>
+
</source>
 +
<br/><br/>
 +
ip inspect is obsolete<ref>http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml</ref>, use [[Netband_Project_-_Zone_based_Firewall(ZFW)|Zone-Based Firewall]] instead.
  
 
= VACL - VLAN based ACL Lists =
 
= VACL - VLAN based ACL Lists =
 
VACL access lists are implemented on layer 3 three switches. Fx. Cisco 3560 layer 3 switch.
 
VACL access lists are implemented on layer 3 three switches. Fx. Cisco 3560 layer 3 switch.
<pre>
+
*[[VACL capture ports Cisco IOS|VACL capture ports]]
 +
<source lang=cli>
 
vlan access-map DROPPRIVATEIP 10
 
vlan access-map DROPPRIVATEIP 10
 
   match ip address 7
 
   match ip address 7
Line 150: Line 156:
 
access-list 7 permit 172.16.0.0 0.15.255.255
 
access-list 7 permit 172.16.0.0 0.15.255.255
 
access-list 7 permit 192.168.0.0 0.0.255.255
 
access-list 7 permit 192.168.0.0 0.0.255.255
</pre>
+
</source>
 +
==Using MAC based ACL==
 +
<source lang=cli>
 +
mac access-list extend MY-MAC-ACL
 +
permit host 0000.01ee.23b5 any
 +
!
 +
ip access-list extended MY-IP-ACL
 +
permit ip host 192.168.1.7 any
 +
!
 +
vlan access-map MY-VLAN-MAP
 +
match mac address MY-MAC-ACL
 +
match ip address MY-IP-ACL
 +
action forward
 +
!
 +
vlan filter MY-VLAN-MAP vlan-list 2-10
 +
</source>
  
 
=Links=
 
=Links=
 
[http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#acltypes Cisco ACL] or as pdf [[Media:confaccesslists.pdf|Cisco ACL]]
 
[http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#acltypes Cisco ACL] or as pdf [[Media:confaccesslists.pdf|Cisco ACL]]
[[Category:Cisco]][[Category:CCNA]][[Category:CCNP]][[Category:IOS]][[Category:Network]]
+
{{source cli}}
 +
=References=
 +
<references/>
 +
[[Category:CCNA]][[Category:CCNP]][[Category:IOS]][[Category:Network]]
 +
[[Category:Cisco]]

Latest revision as of 11:57, 12 April 2018

Cisco Access-list acl for IPv4 for IPv6 See Access-list IPv6 Cisco IOS

Placement of Access-lists

  • The general rule is to put the extended ACLs as close as possible to the source of the traffic denied.
  • Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible.

Standard IP access lists

Standard IP Access lists are access lists from 1 to 99 and from 1300 to 1999. Standard access list only checks the source IP address. Example:

interface fastethernet0/0 
 ip address 10.1.1.1 255.255.255.0 
 ip access-group 1 in
!
access-list 1 permit 10.1.1.0 0.0.0.255

Extended IP access lists

Extended IP Access lists are access lists from 100 to 199 and 2000 to 2699. Extende access list can check source and destination IP address and protocol specific information. (IP, TCP, UDP, ICMP) Example:

interface Ethernet0/1 
 ip address 172.16.1.2 255.255.255.0 
 ip access-group 101 in 
!
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo 
access-list 101 permit ip any 10.1.1.0 0.0.0.255

IP named access lists

IP named access lists you can give standard and extended access lists names instead of numbers. Example:

interface Ethernet0/0 
 ip address 10.1.1.1 255.255.255.0 
 ip access-group TELNET-IN in
!
ip access-list extended TELNET-IN 
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

Protecting telnet management

To protect unauthorized users from accessing the Router you can use a access list.

access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq telnet
!
line vty 0 4
 access-class 100 in
 password cisco
 login

Reflexive access lists

Reflexive access lists allow IP packets to be filtered based on upper layer Session information. They are often used to allow outbound traffic and to limit inbound traffic in response to sessions.

The following example example permits ICMP traffic to the Router while TCP traffic is only allowed if the Session was started from within.

ip reflexive-list timeout 120 
!    
interface Ethernet0/1
 ip address 172.16.1.2 255.255.255.0
 ip access-group TRAFFIC-IN in
 ip access-group TRAFFIC-OUT out 

ip access-list extended TRAFFIC-IN
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate FILTERNAVN 
!
ip access-list extended TRAFFIC-OUT
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect FILTERNAVN

Timebased Access Lists

Timebased access lists specifies when a access list is activated. In the following example telnet is allowed monday, wednesday and friday from 08:00 to 17:00.

interface Ethernet0/0 
 ip address 10.1.1.1 255.255.255.0 
 ip access-group 101 in      
!
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range TELNET-OK  
!
time-range TELNET-OK 
periodic Monday Wednesday Friday 8:00 to 17:00

Commenting access lists

Sometimes its nice to comment your access list.

interface Ethernet0/0 
 ip address 10.1.1.1 255.255.255.0 
 ip access-group 101 in
!
access-list 101 remark permit_telnet 
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

CBAC - Context Based Access Control

CBAC requires that the IOS Firewall feature is installed. CBAC inspects traffic that travels through the firewall in order to discover and manage state information for TCP and UDP sessions. This state information is used in order to create temporary openings in the access lists of the firewall.

Configure ip inspect lists in the direction of the flow of traffic initiation in order to allow return traffic and additional data connections for permissible session, sessions that originated from within the protected internal network, in order to do this.

This is an example of the use of CBAC in order to inspect outbound traffic. Extended ACL 111 normally block the return traffic other than ICMP without CBAC opening holes for the return traffic.

ip inspect name MYFW ftp timeout 3600 
ip inspect name MYFW http timeout 3600 
ip inspect name MYFW tcp timeout 3600 
ip inspect name MYFW udp timeout 3600 
ip inspect name MYFW tftp timeout 3600      
interface Ethernet0/1 
 ip address 172.16.1.2 255.255.255.0 
 ip access-group 111 in 
 ip inspect MYFW out      
access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo 
access-list 111 permit icmp any 10.1.1.0 0.0.0.255



ip inspect is obsolete[1], use Zone-Based Firewall instead.

VACL - VLAN based ACL Lists

VACL access lists are implemented on layer 3 three switches. Fx. Cisco 3560 layer 3 switch.

vlan access-map DROPPRIVATEIP 10
  match ip address 7
  action drop
vlan access-map DROPPRIVATEIP 20
  action forward
!
vlan filter DROPPRIVATEIP vlan-list 1-300
!
access-list 7 permit 10.0.0.0 0.255.255.255
access-list 7 permit 172.16.0.0 0.15.255.255
access-list 7 permit 192.168.0.0 0.0.255.255

Using MAC based ACL

mac access-list extend MY-MAC-ACL
 permit host 0000.01ee.23b5 any
!
ip access-list extended MY-IP-ACL
 permit ip host 192.168.1.7 any
!
vlan access-map MY-VLAN-MAP
 match mac address MY-MAC-ACL
 match ip address MY-IP-ACL
 action forward
!
vlan filter MY-VLAN-MAP vlan-list 2-10

Links

Cisco ACL or as pdf Cisco ACL

References