Extended ACLs

This chapter covers the following exam topics:

5.0 Security Fundamentals

5.6 Configure and verify access control lists

  • all the parameters must be matched correctly to match that one ACE. .

Matching the Protocol, Source IP, and Destination IP 9Extended)

  • Uses the access-list global command. The

  • syntax is identical up until permit or deny keyword

  • Requires three matching parameters:

  • IP protocol type

  • source IP address

  • destination IP address.

IP header’s Protocol Type field

  • identifies the header that follows the IP header (layer 4)
  • TCP, UDP, EIGRP, IGMP, etc
  • Use protocol as keyword
  • Keyword IP means all IPv4 packets

Syntax

# Access-list 101 (list #) permit/ Deny tcp (protocol) 10.0.0.1 0.0.0.0 (Source) 10.1.0.1 0.0.0.255 (Destination

  • Requires the use of the host keyword for specific address

  • Examples

  • access-list 101 deny tcp any any

  • Any IP packet that has a TCP header

  • access-list 101 deny udp any any

  • Any IP packet that that has a UDP header

  • access-list 101 deny icmp any any

  • Any IP packet that has a ICMP header

  • access-list 101 deny ip host 1.1.1.1 host 2.2.2.2

  • All IP packets from host 1.1.1.1 going to host 2.2.2.2

  • access-list 101 deny udp 1.1.1.0 0.0.0.255 any

  • All IP packets that have a UDP header following the IP header, from subnet 1.1.1.0/24 going to any destination

IP and TCP Header

IP Header

Misc Header Fields

  • 9 bytes

Protocol

  • 1 byte
  • ie 6 = tcp
  • identify TCP header

Header Checksum

  • 2 bytes

Source IP

  • 4 bytes

Dest. IP

  • 4 bytes

Options

  • variable

TCP Header

Source Port

  • 2 bytes

Dest. port

  • 2 bytes

Rest of TCP

  • 16 bytes

tcp or udp keyword

  • can optionally reference the source and/or destination port
  • equal, not equal, less than, greater than, and for a range of port numbers
  • can use port numbers or keywords for some well-known application ports

positions of the source and destination port fields in the access-list command and these port number keywords.

# access-list 101 permit (protocol) Source_IP (source port) dest_IP (dest port)

Protocol

  • tcp
  • udp

Source Port

  • eq _
  • ne_
  • lt_
  • gt_
  • range_

Dest. Port

  • eq _
  • ne_
  • lt_
  • gt_
  • range_

eq: =

lt: <

ne: not equal

gt: >

range: x to y

ie:

# access-list 101 permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

  • eq 21 is in the destination port position

Apps and Port number shortcuts for ACL Commands

20 ftp-data

21 ftp

22 -

23 telnet

25 smtp

53 domain

67 bootps (dhcp server)

68 bootpc (dhcp client)

69 tftp

80 www

110 pop3

161 snmp

443 -

514 -

16,384 - 32,767 (RTP/ Voice/ Video) -

Extended IP ACL Configuration

ommand access-list access-list-number {deny I permit} protocol source source-wildcard destination destination-wildcard [log I log-input] access-list access-list-number {deny I permit} {tcp I udp} source source-wild- card [operator [port]] destination destina- tion-wildcard [operator [port]] [estab- fished] [log] Configuration Mode and Description Global command for extended numbered access lists. Use a number between 100 and 199 or 2000 and 2699, inclusive. A version of the access-list com- mand with parameters specific to TCP and/or UDP. “>

  • enable the ACL using the same ip access-group command used with standard ACLs.
  • Place extended ACLs as close as possible to the source of the packets that will be filtered.

- saves some bandwidth.

  • ACL numbers

  • 100–199 and 2000–2699

Extended IP Access Lists: Example 1

(If you were to type eq 80, the config would show eq www.)

#(int) ip access-group 101 in

Named ACLs and ACL Editing

Named IP Access Lists

  • Easier to remember
  • Uses ACL subcommands instead of global config commands
  • editing features allow deleting individual lines and inserting new ones

Config

# ip access-list (standard/ extended) (name)

#(ACLmode) permit 1.1.1.1

#(ACLmode) permit 2.2.2.2

#(ACLmode) permit 3.3.3.3

#(ACLmode) deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255

#(int) ip access-group barney out

  • delete and add new lines to the ACL from within ACL configuration mode

  • deleting a single entry from the ACL.

#(ACLmode) no deny ip 10.1.2.0 0.0.0.255

Editing ACLs Using Sequence Numbers (named and numbered (not the global numbered way)

  • ACL sequence number is added to each ACL permit or deny statement,

  • numbers represent the sequence of statements in the ACL

  • Numbered ACLs can use a configuration style like named ACLs, as well as the traditional style, for the same ACL; the new style is required to perform advanced ACL editing.

  • Deleting single lines:

  • delete an ACE with a no sequence-number subcommand.

  • Inserting new lines:

  • New ACEs can be configured with a sequence number before the deny or permit command, dictating the location of the statement within the ACL.

  • Automatic sequence numbering:

  • sequence numbers are added to ACEs automatically

# Show ip access-lists 24

  • Shows access list 24 and sequence numbers with each entry

#(ACLmode) no 20

  • delete entry 20

#(ACLmode) 5 deny 10.1.1.1

  • enters this new ace as sequence #5
  • Places the sequence number in the list in order

although Example 3-6 uses a numbered ACL, named ACLs use the same process to edit (add and remove) entries.

Numbered ACL Configuration Versus Named ACL Configuration

  • numbered ACLs are stored with the original style of configuration, as global access-list commands, no matter which method is used to configure the ACL.
  • the parts of ACL 24 configured with both new-style commands and old-style commands are all listed in the same old-style ACL (show running-config).

ACL Implementation Considerations

  • Place more specific statements early in the ACL.

  • Disable an ACL from its interface (using the no ip access-group interface subcommand) before making changes to the ACL.

  • By doing so, you avoid issues with the ACL during an interim state

Mitigating Security Issues with ACLs

Security threats that can be mitigated with ACLs

- IP address spoofing, inbound

- IP address spoofing, outbound

- DoS TCP SYN attacks, blocking external attacks

- Dos TCP SYN attacks, using TCP Intercept

- DoS smurf attacks

- Denying/filtering ICMP messages, inbound

- Denying/filtering ICCMP messages, outbound

- Denying/filtering Traceroute

* Don’t allow external packets that have an internal destination address.

Configuring ACLs from the internet

  • Deny any source addresses from your internal networks

- Deny any local host addresses (127.0.0.0/8)

- Deny any reserved private addresses (RFC 1918)

- Deny any addresses in the IP multicast address range (224.0.0.0/4)

Controlling VTY (Telnet/ SSH) Access

1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.

2. Apply the access list to the VTY line with the access-class in command.

(g) # access-list 50 permit host 172.16.10.3

(g) # line vty 0 4

(int) # access-class 50 in

Monitoring Access Lists

# show access-list

shows access lists, parameters, statistics, etc.

# show access-list 110

Shows info for access list 110

# show ip access-list

shows IP access lists on the router

# show ip interface

Shows which interfaces have access lists set on them.

# show running-config

Shows ACLs and what interfaces that have them.