Chapter 8 Access Control Lists (ACL)
Chapter 8 Access Control Lists (ACL)
Basic Firewall
Basic IPv4 Access Control Lists
Standard Access Control Lists
Extended Access Control Lists
Advanced Access Control Lists
Monitoring Access Control Lists
Troubleshooting Access Control Lists
2
Basic Firewall
3
Basic Firewall
4
Using Security Zones with Firewalls
5
Basic Traffic Filtering
6
Basic IPv4 Access Control Lists
7
Basic IPv4 Access Control Lists
8
Types of Access Lists
9
Types of Access Lists
10
Inbound and Outbound Traffic Flow
11
General access-list Guidelines
Only one access list per interface per protocol per direction
Organize your access lists so that the more specific tests are at the top of the access list
Any time a new entry is added to the access list, it will be placed at the bottom of the list
You cannot remove one line from an access list. If you try to do this, you will remove the entire
list
Create access lists and then apply them to an interface
ACL will not filter traffic that has originated from the router
Place IP standard access lists as close to the destination as possible
Place IP extended access lists as close to the source as possible
12
Mitigating Security Issues with ACLs
13
How ACL Works
14
Standard Access Control Lists
15
Standard Access Control Lists
Standard IP access lists filter network traffic by examining the source IP address in a packet
Using the access-list numbers 1–99 or 1300–1999 (expanded range)
16
Standard ACL Configuration
Configure Standard Number ACL
Router(config)#access-list access-list-number
{permit | deny | remark} source [mask]
• Sets parameters for this list entry
• IP standard access lists use 1 to 99
• Default wildcard mask = 0.0.0.0
• no access-list access-list-number removes entire access list
• remark option lets you add a description for the access list
Router(config-if)#ip access-group
access-list-number {in | out}
21
Standard ACL Example 1#
• Restricts incoming or outgoing vty connections for address in the access list
25
Controlling VTY Using ACL
• Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty
26
Extended Access Control Lists
27
Extended Access Control Lists
extended access lists allow you to specify source and destination address as well as the protocol and port
number that identify the upper-layer protocol or application
Using the access-list numbers 100–199 or 2000–2699 (expanded range)
28
Extended ACL Configuration
Router(config)#access-list access-list-number
{permit | deny} protocol source source-wildcard [operator port] destination
destination-wildcard [operator port] [established] [log]
29
Extended ACL Example 1#
30
Extended ACL Example 2#
32
Named ACL Configuration
Named ACLs
Router(config)#ip access-list {standard | extended} name
34
Advanced Access Control Lists
35
Named Access Control Lists
37
Monitoring Access Control Lists
38
Verifying Access Control Lists
39
Troubleshooting Access Control Lists
40
Troubleshooting Access Control Lists
41
Troubleshooting Access Control Lists
42
Troubleshooting Access Control Lists
Error 3#: Network 172.16.0.0 can telnet to 10.100.100.1, but this connection should not be
allowed.
43
Troubleshooting Access Control Lists
Error 4#: Host 10.1.1.1 can telnet to 10.100.100.1, but this connection should not be allowed.
44
Troubleshooting Access Control Lists
Error 5#: Host 10.100.100.1 can telnet to 10.1.1.1, but this connection should not be allowed.
45
Troubleshooting Access Control Lists
Error 6#: Host 10.1.1.1 can telnet to RouterB, but this connection should not be allowed.
RouterB
46
47