Revision as of 17:00, 24 March 2009

Cisco Access-list acl

Placement of Access-lists

• The general rule is to put the extended ACLs as close as possible to the source of the traffic denied.
• Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible.

Standard IP access lists

Standard IP Access lists are access lists from 1 to 99. Standard access list only checks the source IP address. Example:

interface fastethernet0/0 
 ip address 10.1.1.1 255.255.255.0 
 ip access-group 1 in
!
access-list 1 permit 10.1.1.0 0.0.0.255 

Extended IP access lists

Extended IP Access lists are access lists from 101 to 199 and 2000 to 2699. Extende access list can check source and destination IP address and protocol specific information. (IP, TCP, UDP, ICMP) Example:

interface Ethernet0/1 
 ip address 172.16.1.2 255.255.255.0 
 ip access-group 101 in 
!
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo 
access-list 101 permit ip any 10.1.1.0 0.0.0.255

Example extended access-list

Users are on our internal private networks

• 192.168.0.0/16
• 172.16.0.0/12
• 10.0.0.0/8

Since you only want your users to be able to browse the Internet, you must block all incoming traffic accept for the established connections in which the websites are replying to a computer on your network. Doing this is impossible unless you use the established command.

The internal computer 192.168.201.1 are the public WEB-server which users on the Internet are allowed to surf. The server uses www (port 80) and secure HTTP (port 443). We also open for UDP port 53 to contact DNS-servers

interface FastEthernet0/1
 description Outside: Internet connection to ISP
 ip address dhcp
 ip nat outside
 ip access-group 138 in
!
access-list 138 permit tcp any 192.168.0.0 0.0.255.255 established
access-list 138 permit tcp any 172.16.0.0 0.0.15.255 established
access-list 138 permit tcp any 10.0.0.0 0.255.255.255 established
access-list 138 permit udp any 192.168.0.0 0.0.255.255 eq domain
access-list 138 permit udp any 172.16.0.0 0.0.15.255 eq domain
access-list 138 permit udp any 10.0.0.0 0.255.255.255 eq domain
access-list 138 permit tcp any host 192.168.201.1 eq www
access-list 138 permit tcp any host 192.168.201.1 eq 443

IP named access lists

IP named access lists you can give standard and extended access lists names instead of numbers. Example:

interface Ethernet0/0 
 ip address 10.1.1.1 255.255.255.0 
 ip access-group TELNET-IN in
!
ip access-list extended TELNET-IN 
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet 

Protecting telnet management

To protect unauthorized users from accessing the Router you can use a access list.

access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq telnet
!
line vty 0 4
 access-class 100 in

Reflexive access lists

Reflexive access lists allow IP packets to be filtered based on upper layer Session information. They are often used to allow outbound traffic and to limit inbound traffic in response to sessions.

The following example example permits ICMP traffic to the Router while TCP traffic is only allowed if the Session was started from within.

ip reflexive-list timeout 120 
!    
interface Ethernet0/1
 ip address 172.16.1.2 255.255.255.0
 ip access-group TRAFFIC-IN in
 ip access-group TRAFFIC-OUT out 

ip access-list extended TRAFFIC-IN
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate tcptraffic 
!
ip access-list extended TRAFFIC-OUT
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic

Links

Cisco ACL or as pdf Cisco ACL