Implementing Traffic Filtering with ACLs

Managing Network Device Security

© 2013 Cisco Systems, Inc. ICND1 — 3-36

How can you restrict Internet access for PC2?

© 2013 Cisco Systems, Inc. ICND1 — 3-37

ACL operation outbound

© 2013 Cisco Systems, Inc. ICND1 — 3-38

Applies ACL 1 on the interface as an outbound filter:

Branch(config-if)#ip access-group 1 out

Applies ACL 2 on the interface as an inbound filter:

Branch(config-if)#ip access-group 2 in

Important: Only one ACL per protocol, per direction, and per interface is allowed.

© 2013 Cisco Systems, Inc. ICND1 — 3-39

Example: • Deny Internet access for a specific host (10.1.1.101). • Allow all other LAN hosts to access the Internet.

Branch(config)#access-list 1 deny 10.1.1.101 Branch(config)#access-list 1 permit 10.1.1.0 0.0.0.255 Branch(config)#interface GigabitEthernet 0/1 Branch(config-if)#ip access-group 1 out

© 2013 Cisco Systems, Inc. ICND1 — 3-40

• How can you prevent PC2 from accessing only a specific server on the Internet?

• How can you allow other users only web access?

© 2013 Cisco Systems, Inc. ICND1 — 3-41

Testing packets with extended IPv4 ACLs

© 2013 Cisco Systems, Inc. ICND1 — 3-42

Branch(config)#access-list 110 deny ip host 10.1.1.101 host 209.165.202.197 Branch(config)#access-list 110 permit tcp 10.1.1.0 0.0.0.255 any eq 80

• The number 110 is chosen to define an ACL as an extended ACL. • The first statement matches IP traffic between two specific hosts and denies it. • The second statement matches HTTP TCP traffic from network 10.1.1.0 /24.

– The operator eq (equal) is used to match TCP port 80. • The implicit deny statement is present at the end of the ACL

Branch(config-if)#ip access-group 110 in

An extended ACL is activated on the interface in the same way as a standard ACL.

© 2013 Cisco Systems, Inc. ICND1 — 3-43

The ACL configuration mode is used to configure a named ACL.

Branch(config)#ip access-list extended WEB_ONLY Branch(config-ext-nacl)#permit tcp 10.1.1.0 0.0.0.255 any eq www Branch(config-ext-nacl)#20 permit tcp 10.1.1.0 0.0.0.255 any eq 443

• The alphanumeric name string (WEB_ONLY in the example) must be unique. • If sequence numbers are not configured, they are generated automatically, starting at 10

and incrementing by 10. • The no 10 command removes the specific test that is numbered with 10 from the named

ACL.

Branch(config-if)#ip access-group WEB_ONLY in

Named ACLs are activated on an interface with the same command as numbered ACLs.

© 2013 Cisco Systems, Inc. ICND1 — 3-44

Edit an ACL in the access-list configuration mode to deny web access for host 10.1.1.25:

Branch#show access-lists Extended IP access list WEB_ONLY 10 permit tcp 10.1.1.0 0.0.0.255 any eq www 20 permit tcp 10.1.1.0 0.0.0.255 any eq 443 Branch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Branch(config)#ip access-list extended WEB_ONLY Branch(config-ext-nacl)#5 deny ip host 10.1.1.25 any Branch(config-ext-nacl)#end Branch#show access-lists Extended IP access list WEB_ONLY 5 deny ip host 10.1.1.25 any 10 permit tcp 10.1.1.0 0.0.0.255 any eq www 20 permit tcp 10.1.1.0 0.0.0.255 any eq 443

© 2013 Cisco Systems, Inc. ICND1 — 3-45

These guidelines are recommended: • The type of ACL, standard or extended, determines what is filtered. • Only one ACL per interface, per protocol, and per direction is allowed. • The most specific statement should be at the top of an ACL. The most

general statement should be at the bottom of an ACL. • The last ACL test is always an implicit “deny everything else” statement,

so every list needs at least one permit statement. • When placing an ACL in a network, follow these guidelines:

– Place extended ACLs close to the source. – Place standard ACLs close to the destination.

• An ACL can filter traffic going through the router or traffic to and from the router, depending on how it is applied.

© 2013 Cisco Systems, Inc. ICND1 — 3-46

Branch#show access-lists

• Displays the content of ACLs

Branch#show access-lists Standard IP access list SALES 10 deny 10.1.1.0, wildcard bits 0.0.0.255 20 permit 10.3.3.1 30 permit 10.4.4.1 40 permit 10.5.5.1 Extended IP access list ENG 10 permit tcp host 10.22.22.1 any eq telnet (25 matches) 20 permit tcp host 10.33.33.1 any eq ftp 30 permit tcp host 10.44.44.1 any eq ftp-data

© 2013 Cisco Systems, Inc. ICND1 — 3-47

Branch#show ip interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is WEB_ONLY Proxy ARP is enabled Local Proxy ARP is disabled <text omitted>

• Shows whether an ACL is applied to an interface

© 2013 Cisco Systems, Inc. ICND1 — 3-48

Host 10.10.1.1 has no connectivity with 10.1.1.2.

Branch#show access-lists 10 Standard IP access list 10 10 permit 172.16.0.0, wildcard bits 0.0.0.255

© 2013 Cisco Systems, Inc. ICND1 — 3-49

Host 10.10.1.1 has no connectivity with 10.1.1.2.

Branch#show access-lists 10 Standard IP access list 10 10 deny 10.10.1.0, wildcard bits 0.0.0.255 20 permit 10.10.1.1 30 permit any

© 2013 Cisco Systems, Inc. ICND1 — 3-50

Users from the 192.168.1.0 network cannot open a TFTP session to 10.1.1.2.

Branch#show access-lists 120 Extended IP access list 120 10 deny tcp 172.16.0.0 0.0.255.255 any eq telnet 20 deny tcp 192.168.1.0 0.0.0.255 any eq smtp 30 permit tcp any any

© 2013 Cisco Systems, Inc. ICND1 — 3-51

Users from the 172.16.0.0 network can use Telnet to connect to 10.1.1.2, but this connection should not be allowed.

Branch#show access-lists 130 Extended IP access list 130 10 deny tcp any eq telnet any 20 deny tcp 192.168.1.0 0.0.0.255 any eq smtp 30 permit ip any any

© 2013 Cisco Systems, Inc. ICND1 — 3-52

Host 10.10.1.1 can use Telnet to connect to 10.1.1.2, but this connection should not be allowed.

Branch#show access-lists 140 Extended IP access list 140 10 deny tcp host 10.160.22.11 any eq telnet 20 deny tcp 192.168.1.0 0.0.0.255 any eq smtp 30 permit ip any any

© 2013 Cisco Systems, Inc. ICND1 — 3-53

Host 10.1.1.2 can use Telnet to connect to 10.10.1.1, but this connection should not be allowed.

Branch#show access-lists 150 Extended IP access list 150 10 deny tcp host 10.1.1.2 any eq telnet 20 permit ip any any Branch#show running-config interface Serial 0/0/0 interface Serial0/0/0 ip address 10.160.22.33 255.255.255.0 ip access-group 150 in <output omitted>

© 2013 Cisco Systems, Inc. ICND1 — 3-54

Host 10.10.1.1 can use Telnet to connect into the Branch router IP address, but this connection should not be allowed.

Branch#show access-lists 160 Extended IP access list 160 10 deny tcp any host 10.160.22.33 eq telnet 20 permit ip any any

© 2013 Cisco Systems, Inc. ICND1 — 3-55

• ACLs that are used for traffic filtering can operate in the inbound or outbound direction.

• One ACL per protocol, per direction, per interface is supported. • Extended ACLs are used to filter traffic based on source and destination

IP addresses, protocol, and port numbers. • Numbered, extended ACLs use numbers from 100 to 199 and from 2000

to 2699.

© 2013 Cisco Systems, Inc. ICND1 — 3-56

• Access-list configuration mode allows adding, modifying, and deleting individual statements from an ACL.

• Place more specific statements at the top of an ACL and more general ones at the bottom.

• Use the show access-lists verification command to troubleshoot common ACL configuration errors.

© 2013 Cisco Systems, Inc. ICND1 — 3-57

© 2013 Cisco Systems, Inc. ICND1 — 3-58