Chapter 8:

ACL (Access List)

CISCO CERTIFIED NETWORK ASSOCIATE (CCNA)
TRAINING
Agenda

Basic Firewall
Basic IPv4 Access Control Lists
Standard Access Control Lists
Extended Access Control Lists
Advanced Access Control Lists
Monitoring Access Control Lists
Troubleshooting Access Control Lists

2
Basic Firewall

3
Basic Firewall

A typical secured network

4
Using Security Zones with Firewalls

“The firewall has rules, and those rules define

which host can initiate connections from one zone to another zone.”

5
Basic Traffic Filtering

Policy-based, multi-interface support

◦ Allows you to control user access by IP address and interface depending on your security policy.

Network Address Translation (NAT)

Time-based access lists
◦ Determine security policies based upon the exact time of day and the particular day of the week.

Peer router authentication

◦ Guarantees that routers are getting dependable routing information from actual, trusted sources

6
Basic IPv4 Access Control Lists

7
Basic IPv4 Access Control Lists

Essentially a list of conditions that categorize packets

It’s always compared with each line of the access list in sequential order
It’s compared with lines of the access list only until a match is made
There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t
match the condition on any of the lines in the access list, the packet will be discarded.

8
Types of Access Lists

Standard access lists

◦ use only the source IP address in an IP packet as the condition test
◦ All decisions are made based on the source IP address
◦ Permit or deny an entire suite of protocols
◦ don’t distinguish between any of the many types of IP traffic such as web, Telnet, UDP, and so on

Extended access lists

◦ Can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet
◦ can evaluate source and destination IP addresses, the protocol field in the Network layer header, and
the port number at the Transport layer header

9
Types of Access Lists

Named access lists

◦ Have many similarities with numbered IP ACLs
◦ They can be used for filtering packets, plus for many other purposes
◦ Named ACLs originally had three big differences compared to numbered ACLs:
◦ Using names instead of numbers to identify the ACL, making it easier to remember the reason for the ACL
◦ Using ACL subcommands, not global commands, to define the action and matching parameters
◦ ACL editing features that allow the CLI user to delete individual lines from the ACL and insert new lines

10
Inbound and Outbound Traffic Flow

Inbound access lists

◦ Those packets are processed through the access list before being routed to the outbound interface
◦ Any packets that are denied won’t be routed because they’re discarded before the routing process is
invoked

Outbound access lists

◦ Those packets are routed to the outbound interface and then processed through the access list before
being queued.

11
General access-list Guidelines

Only one access list per interface per protocol per direction
Organize your access lists so that the more specific tests are at the top of the access list
Any time a new entry is added to the access list, it will be placed at the bottom of the list
You cannot remove one line from an access list. If you try to do this, you will remove the entire
list
Create access lists and then apply them to an interface
ACL will not filter traffic that has originated from the router
Place IP standard access lists as close to the destination as possible
Place IP extended access lists as close to the source as possible

12
 Mitigating Security Issues with ACLs

IP address spoofing, inbound

IP address spoofing, outbound
Denial of service (DoS) TCP SYN attacks, blocking external attacks
DoS TCP SYN attacks, using TCP Intercept
DoS smurf attacks
Filtering ICMP messages, inbound
Filtering ICMP messages, outbound
Filtering traceroute
Deny any addresses from your internal networks
Deny any local host addresses (127.0.0.0/8)
Deny any reserved private addresses
Deny any addresses in the IP multicast address range (224.0.0.0/4).

13
How ACL Works

14
Standard Access Control Lists

15
Standard Access Control Lists

Standard IP access lists filter network traffic by examining the source IP address in a packet
Using the access-list numbers 1–99 or 1300–1999 (expanded range)

16
Standard ACL Configuration
Configure Standard Number ACL

Router(config)#access-list access-list-number
{permit | deny | remark} source [mask]
• Sets parameters for this list entry
• IP standard access lists use 1 to 99
• Default wildcard mask = 0.0.0.0
• no access-list access-list-number removes entire access list
• remark option lets you add a description for the access list
Router(config-if)#ip access-group
access-list-number {in | out}

 Activates the list on an interface

 Sets inbound or outbound testing
 Default = outbound
 no ip access-group access-list-number removes access list from
the interface
17
Wildcard Bits

Wildcard Bits: How to Check the Corresponding Address Bits

 0 means check value of corresponding address bit.

 1 means ignore value of corresponding address bit.
18
 Wildcard Bits

Wildcard Bits: to Match a Specific IP Host Address

• Check all the address bits (match all).

• Verify an IP host address, for example:

 For example, 172.30.16.29 0.0.0.0 checks all the

address bits.
 Abbreviate this wildcard mask using the IP address preceded by the keyword host
(host 172.30.16.29).
19
 Wildcard Bits

Wildcard Bits: to Match Any IP Address

• Test conditions: Ignore all the address bits (match any).

• An IP host address, for example:

 Accept any address: any

 Abbreviate the expression using the
keyword any.
20
Wildcard Bits
Wildcard Bits: to Match IP Subnets
• Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.
 Address and wildcard mask:
172.30.16.0 0.0.15.255

21
Standard ACL Example 1#

Permit my network only.

22
Standard ACL Example 2#

Deny a specific host.

23
Standard ACL Example 2#

Deny a specific subnet.

24
 Controlling VTY Using ACL

Controlling VTY (Telnet) Access

◦ You’ll probably have a difficult time trying to stop users from telnetting to a large router because any active
interface on a router is fair game for VTY access
◦ Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers
◦ Apply the access list to the VTY line with the access-class command

Router(config)#line vty {vty# | vty-range}

• Enters configuration mode for a vty or vty range

Router(config-line)#access-class access-list-number {in | out}

• Restricts incoming or outgoing vty connections for address in the access list

25
Controlling VTY Using ACL

Controlling VTY (Telnet) Access Example

Controlling Inbound Access

access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny all)
!
line vty 0 4
access-class 12 in

• Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty

26
Extended Access Control Lists

27
 Extended Access Control Lists

extended access lists allow you to specify source and destination address as well as the protocol and port
number that identify the upper-layer protocol or application
Using the access-list numbers 100–199 or 2000–2699 (expanded range)

28
Extended ACL Configuration

Configure Extended Number ACL

Router(config)#access-list access-list-number
{permit | deny} protocol source source-wildcard [operator port] destination
destination-wildcard [operator port] [established] [log]

• Sets parameters for this list entry

Router(config-if)#ip access-group access-list-number {in | out}

• Activates the extended list on an interface

29
Extended ACL Example 1#

 Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0.

 Permit all other traffic.

30
Extended ACL Example 2#

 Deny only Telnet from subnet 172.16.4.0 out of E0.

 Permit all other traffic.
31
Advanced Access Control Lists

32
 Named ACL Configuration
Named ACLs
Router(config)#ip access-list {standard | extended} name

• Alphanumeric name string must be unique.

Router(config {std- | ext-}nacl)#{permit | deny}

{ip access list test conditions}
{permit | deny} {ip access list test conditions}
no {permit | deny} {ip access list test conditions}

• Permit or deny statements have no prepended number.

• “no” removes the specific test from the named access list.
Router(config-if)#ip access-group name {in | out}

• Activates the IP named access list on an interface.

33
Named ACL Example 1#

Deny a Specific Host (172.16.4.13) to 172.16.3.0

RouterX(config)#ip access-list standard troublemaker

RouterX(config-std-nacl)#deny host 172.16.4.13
RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255
RouterX(config-std-nacl)#interface e0
RouterX(config-if)#ip access-group troublemaker out

34
Advanced Access Control Lists

Deny Telnet dari from a Spesific Subnet (172.16.4.0) to 172.16.3.0

RouterX(config)#ip access-list extended badgroup

RouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23
RouterX(config-ext-nacl)#permit ip any any
RouterX(config-ext-nacl)#interface e0
RouterX(config-if)#ip access-group badgroup out

35
Named Access Control Lists

Comment at ACL Statement

RouterX(config)#
ip access-list {standard|extended} name
 Create a named ACL
RouterX(config {std- | ext-}nacl)#
remark remark
 Create a named ACL comment
OR
RouterX(config)#
access-list access-list-number remark remark

 Create a numbered ACL comment

36
Monitoring Access Control Lists

37
Monitoring Access Control Lists

Show all ACL with show access-lists commad

RouterX# show access-lists {access-list number|name}

RouterX# show access-lists

Standard IP access list SALES
10 deny 10.1.1.0, wildcard bits 0.0.0.255
20 permit 10.3.3.1
30 permit 10.4.4.1
40 permit 10.5.5.1
Extended IP access list ENG
10 permit tcp host 10.22.22.1 any eq telnet (25 matches)
20 permit tcp host 10.33.33.1 any eq ftp
30 permit tcp host 10.44.44.1 any eq ftp-data

38
Verifying Access Control Lists

RouterX# show ip interfaces e0

Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
<text ommitted>

39
Troubleshooting Access Control Lists

40
Troubleshooting Access Control Lists

Error 1#: Host 10.1.1.1don’t have connectivity with 10.100.100.1

41
Troubleshooting Access Control Lists

Error 2#: Network 192.168.1.0 don’t have TFTP connectivity to 10.100.100.1

42
Troubleshooting Access Control Lists

Error 3#: Network 172.16.0.0 can telnet to 10.100.100.1, but this connection should not be
allowed.

43
Troubleshooting Access Control Lists

Error 4#: Host 10.1.1.1 can telnet to 10.100.100.1, but this connection should not be allowed.

44
 Troubleshooting Access Control Lists

Error 5#: Host 10.100.100.1 can telnet to 10.1.1.1, but this connection should not be allowed.

45
 Troubleshooting Access Control Lists

Error 6#: Host 10.1.1.1 can telnet to RouterB, but this connection should not be allowed.

RouterB

46
47