Network Security 1
909kidd
documents--sec450_acl_tutorial.pdf
1
SEC450 ACL Tutorial
This document highlights the most important concepts on Access Control List (ACL) that
you need to learn in order to configure ACL in CLI. This tutorial does not intend by any
mean to cover all ACL applications, but only those scenarios used in then SEC450
iLabs.
Introduction to Access Control List
A host-based firewall essentially works closing and/or opening ports in a
computer. The engine behind firewalls is built with Access Control Lists (ACL).
Network-based firewalls are implemented in device-specific appliances and
routers. Basically, firewalls in routers filter packets through interfaces to permit
or deny them.
Ports are layer-4 address specified in TCP/IP protocol suit that identify
networking processes running in clients and servers.
ACLs are configured using shell-specific commands. In Cisco IOS, CLI
commands access-list and access-group are used to create and apply ACL on
an interface.
ACL can be named by number ID or a name. Naming ACL is useful to identify
ACL’s purpose.
ACL are classified in Standard ACL, and Extended ACL.
Standard ACL’s number IDs are assigned from 1 to 99. Extended ACL’s number
IDs are from 100 to 199.
Standard ACL only uses source IP address in an IP packet to filter through an
interface. Hence, standard ACL denies or permits all packets (IP) with the same
source IP regardless upper protocols, destination IP address, etc. Example 1:
Router(config)#access-list 8 deny host 172.12.3.5
Extended ACL does filtering packets based on protocol, source IP address,
source port number, destination IP address and destination port number.
Example 2: Router(config)#access-list 102 deny tcp host 10.0.3.2 host
2
172.129.4.1 Deny tcp packets with source IP address 10.0.3.2 and destination IP
address 172.129.4.1.
Since, Standard ACLs only have source IP address; the rule is to apply them in
an interface as closer as possible to the concerning destination network.
For the contrary, the rule for Extended ACLs is to apply them in an interface as
closer as possible to the source IP address.
Use Extended ACL in all iLabs as they are more granular on packets to filter.
Create Extended ACL in global configuration
You can use access-list command options lt, gt, eq, neq, range (less than,
greater than, equal, not equal, range of ports) to do operation with port numbers.
Example 3: access-list 102 deny tcp any host 11.23.45.7 gt 20 denies all
packets with any source IP address to destination IP address 11.23.45.7 and
destination tcp port greater than 20.
Example 4: access-list 107 permit udp any any permits all packets with udp
protocol with any source IP address to any destination IP address.
Extended ACL can do packet filtering based on source port number and
destination port number.
Extended ACL Syntax can be as follows:
access-list <#,name> <protocol> host <source_ip> <port_qualifier>
<source_port_number> host <dest_ip> <port_qualifier> <dest_port_number>
where:
<#,name> is a number between 100 to 199 or a one-word name
<protocol> is any protocol in the TCP/IP suite
<source_ip> & <dest_ip> are the source and destination IP addresses
<port_qualifier> is optional, and can be eq, gt, lt, neq, & range
<source_port_number> & <dest_port_number> follow <port_qualifier> to specify the
port number(s). <port_qualifier> and <port_number> can be replaced by the application
protocol. Example, http instead of eq 80
Creation of ACL follows the “three Ps” rule. “One ACL per protocol, per
interface, per traffic direction”.
Steps for configuring a new ACL are: First, create the ACL in CLI global
configuration using access-list command(s). Then, apply the ACL using
access-group command in CLI interface configuration.
3
An ACL consists of one or more access-list commands. Routers process the
ACL commands in order; top first to bottom last.
The effectiveness of an access-list command depends upon previous access-list
commands. Therefore, always write the commands in order; more-specific-traffic
commands first, and, more-generic-traffic commands last. Example 5:
Router(config)#access-list 101 deny tcp host 10.0.3.2 any
Router(config)#access-list 101 permit tcp any any
But never follows the order below, because the second command is worthless.
Router(config)#access-list 101 permit tcp any any
Router(config)#access-list 101 deny tcp host 10.0.3.2 any
All ACL have a hidden access-list command at the end that denies all packets
(i.e. deny ip any any). Hence, packets that are not specifically permitted in a
command will be denied by the ACL.
Example 6: Use command Router(config)#access-list 105 permit ip any any at
the end of ACL if it requires to permit all other traffic after denying packets with
Router(config)#access-list 105 deny icmp any host 192.168.10.244
Wildcard option is used in access-list commands to filter packets from a subnet
of source and/or destination IP addresses instead of single hosts. IP addresses
in each of those subnets must be continuous. Here the syntax. Filtering on port
numbers is also applicable, but it have been omitted for the sake of simplicity.
access-list <#,name> <protocol> <source_ip> <source_wildcard> < <dest_ip>
<dest_wildcard>
where:
<#,name> is a number between 100 to 199 or a one-word name
<protocol> is any protocol in the TCP/IP suite
<source_ip> & <dest_ip> are the source and destination IP addresses
<source_wildcard> & <dest_wildcard> specify the subnet ranges of source and
destination IP addresses
Wildcard in ACL has the same meaning as in routing protocols such as EIGRP
and OSPF. Wildcard bit 0 means the bit in the IP address must be the same as
the corresponding bit in the subnet IP addresses. Wildcard bit 1 means the bit in
the IP address can be any value (0 or 1).
Example 7: access-list 105 deny udp 172.16.7.3 0.0.0.3 any means to deny
all packets with udp protocol with source IP addresses from 172.16.7.0 to
4
172.16.7.3 to any destination IP address. Note that .3 means in binary
.00000011 and .000000xx for wildcard.
Example 8: access-list 109 permit tcp host 192.168.6.3 eq 80 10.0.0.0
0.0.0.255 means to permit all tcp packets from source IP address 192.168.6.3
and source port tcp 80 (i.e. http server) to destination IP addresses in the subnet
10.0.0.0 to 10.0.0.255. The fact that 10.0.0.0 would not qualify for host IP in
classful networks has been ignored for simplicity.
Using wildcard with all 0s is the same as using the option host in access-list
commands. Example 9:
access-list 110 permit ip host 10.23.4.3 host 10.30.2.1 and
access-list 110 permit ip 10.23.4.3 0.0.0.0 10.30.2.1 0.0.0.0 are equivalent
commands. Both permit filtering packets with source IP address 10.23.4.3 and
destination IP address 10.30.2.1.
Only use wildcard in access-list commands when the ACL requires filtering
packets on subnet of IP addresses; either at source, destination or both.
Apply to an Interface a created ACL
Example 10: Assume you need to create an ACL in Router that permits filtering
any traffic excepting udp packets with source IP address 10.23.4.3 and
destination IP address 10.30.2.1 as shown in the network diagram below.
First, you need to create an extended ACL in CLI global configuration.
Router#config t
Router(config)#access-list 103 deny udp host 10.23.4.3 host 10.30.2.1
Router(config)#access-list 103 permit ip any any
Second, you need to apply ACL 103 in an interface closer to the source. The
interface is S0/1 in Router for traffic coming from IP 10.23.4.3.
Router(config)#interface s0/1 Router(config-if)#ip access-group 103 in
5
If you need to make any correction after creating an ACL, then erase first the
ACL from global and interface configurations. To erase ACL 103 from the
previous example execute the following commands:
Router(config)#no ip access-list 103
Router(config)#interface s0/1 Router(config-if)#no ip access-group 103
Now, you can start over creating ACL 103. If you do not erase the ACL first, then
access-list commands will be compounding in the configuration file producing
unexpected behavior. Use command show run to verify the ACL is erase and
created again correctly.
Verify ACL Configuration
Example 11: Let's say you have been asked to create an ACL in a router R to deny TCP traffic coming through interface Serial 0/2 from source IP address 10.16.2.1 to destination IP address172.16.5.3 with destination port number greater than 200. Then, the ACL should permit filtering any other traffic.
There are two configuration tasks you need to do in CLI. First, create the ACL. Second, apply the ACL to interface Serial 0/2.
So, from CLI, R> enable R# config t R(config)# access-list 101 deny tcp host 10.16.2.1 host 172.16.5.3 gt 200 R(config)# access-list 101 permit ip any any this command is needed to permit any other traffic after denying the one from previous command. R(config)# interface serial0/2 R(config-if)# ip access-group 101 in this command is to apply the ACL to serial0/2 for traffic coming in.
R(config-if)# exit R# show run this is to verify the ACL configuration is correct in running-config.file
R#show running-config
version 12.3
!
hostname R
!
interface FastEthernet0/0
ip address 192.168.200.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
shutdown
!
interface Serial0/0
ip address 200.100.20.2 255.255.255.0
6
!
interface Serial0/1
ip address 192.168.30.2 255.255.255.0
shutdown
!
interface Serial0/2
ip address 192.168.40.1 255.255.255.0
ip access-group 101 in
!
router rip
network 192.168.200.0
network 200.100.20.0
!
ip default-network 200.100.20.0
ip route 0.0.0.0 0.0.0.0 serial0/0
!
!
access-list 101 permit tcp host 10.16.2.1 host 172.16.5.3 gt 200
access-list 101 permit ip any any
!
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
end
if the ACL is not correct, then delete it with the command below and start over again R# config t R(config)# no access-list 101 R(config)# interface serial0/2 R(config-if)#no ip access-group 101
