Acl access control lists
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

ACL(Access Control Lists) PowerPoint PPT Presentation


  • 62 Views
  • Uploaded on
  • Presentation posted in: General

ACL(Access Control Lists). Standard , Extended and Named ACL. Objectives. In this lesson, you will learn: Purpose of ACLs Its application to an enterprise network How ACLs are used to control access Types of Cisco ACLs. Standard ACL Extended ACL Named ACL. ACL (Access Control Lists).

Download Presentation

ACL(Access Control Lists)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Acl access control lists

ACL(Access Control Lists)

Standard , Extended and Named ACL


Objectives

Objectives

  • In this lesson, you will learn:

    • Purpose of ACLs

      • Its application to an enterprise network

    • How ACLs are used to control access

    • Types of Cisco ACLs.

      • Standard ACL

      • Extended ACL

      • Named ACL


Acl access control lists1

ACL (Access Control Lists)

Allow Email/Deny Telnet

  • An ACL is a router configuration script that controls whether a router permits or denies packets

  • By default, a router does not have any ACLs configured and therefore does not filter traffic.

No video to S1

No access to S2 for S1

No FTP

No web


Types of acl

Types of ACL

  • These are examples of IP ACLs that can be configured in Cisco IOS Software:

    • Standard ACLs

    • Extended ACLs

    • IP-named ACLs

    • And Others


Where to apply acl guidelines for using acls

Where to apply ACL - Guidelines for using ACLs

Allow Email/Deny Telnet

  • Use ACLs in firewall routers positioned between internal network and an external network

  • Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.

  • Configure ACLs on border routers, the routers situated at the edges of your networks to act as a buffer from the outside network

No video to S1

No access to S2 for S1

No FTP

No web


Testing packets with acls

Testing Packets with ACLs

  • Configure ACL

    Example: Permit traffic from a particular host 192.5.5.10

  • Router(config)#access-list 1permit 192.5.5.10 0.0.0.0

  • Router(config)# access-list 1 deny any

  • Wild card mask

    • A wildcard mask is written to tell the router what bits in the address to match and what bits to ignore.

    • A “0” bit means means check this bit position. A “1” means ignore this bit position.

    • Note:Notice that this wildcard mask is a mirror image of the subnet mask for the address

  • Apply to appropriate router interface

    • In or out

    • Example: Router(config-if)# ip access-group 1 in

Wild card mask

IP mask


Practice wild card masks

Practice Wild card masks

  • Write a wildcard mask for all hosts in 192.168.20.0 subnet

  • Write a wildcard mask for all hosts in 10.10.0.0

  • Write a wildcard mask for the host 192.168.1.100


Masking practice

Masking Practice

  • Write an ip mask and wildcard mask for the subnet 172.16.128.0 with a subnet mask of 255.255.128.0?

    • Answer: 172.16.128.0 0.0.127.255

  • Write an ip mask and wildcard mask for the subnet 10.0.8.0 with a subnet mask of 255.255.248.0?

    • Answer: 10.0.8.0 0.0.7.255


Acl operation inbound acls

ACL Operation - Inbound ACLs

ACL statements operate in sequential order.

If a packet header and an ACL statement match, the rest of the statements in the list are skipped

If a packet header does not match an statement, the packet is tested against the next statement in the list.

A final implied (IMPLICIT DENY) statement covers all packets for which conditions did not test true.


Placement of standard acl

Placement of Standard ACL

# access-list 99 deny 192.168.10.0 0.0.0.255

# access-list 99 permit any

R3(config)#interface serial 0/0/1

R3(config-if)# ip access-group 1 in


Extended acl

Extended ACL

  • Extended ACLs

    • Filter IP packets based on several attributes:

      • protocol type,

      • source and IP address, destination IP address,

      • source TCP or UDP ports, destination TCP or UDP ports

    • Example: ACL 102 deny FTP and Telnet traffic originating from any address on the 192.168.10.0/24 from leaving the network


Placement of acls extended

Placement of ACLs - Extended.

Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq telnet

Access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq ftp

Access-list 102 permit any

Apply access list ‘inbound’ to Fa 0/1 interface of R1

R1(config)# interface fa 0/1

R1(config-if)# ip access-group 102 in


What does the following acl do

What does the following ACL do?

Access-list 1 permit any

Access-list 1 deny host 10.1.1.1

Access-list 1 deny any

Access-list 1 deny host 10.1.1.1

Access-list 1 deny 192.168.1.0 0.0.0.255


Commenting acls

Commenting ACLs


Named acl

Named ACL


Extended nacls

Extended NACLs


Editing named acls

Editing named ACLs


Example network controlling inbound access

Example NetworkControlling inbound access

  • Deny all traffic from private IP address

  • Allow all IP sessions already established with the ack bit turned.

  • deny anyone from entering your network from the outside with an internal address (spoofing your network) and log each packet occurrence.

  • deny the infamous Donald Dick and Prosiak ports.

  • deny the Deepthroat and Sockets des Troie ports.

  • deny any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery.

  • permits packets that were not previously rejected to enter your network.


Example inbound access control list

Example:Inbound access control list

  • access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

  • access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

  • access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

  • access-list 100 deny ip any host 127.0.0.1 log

  • access-list 100 permit ip any est

  • access-list 100 deny ip < network IP address> <your network mask> any log

  • access-list 100 deny tcp any any eq 22222 log

  • access-list 100 deny tcp any any range 60000 60020 log

  • access-list 100 deny udp any any eq snmp log

  • access-list 100 permit ip any any

Administrative PC

inbound traffic

Perimeter router

Administrative PC


Explaining commands

Explaining commands

  • Entry 5—“permit ip any [your network IP address] [your network mask] est”—automatically allows all IP sessions already established with the ack bit turned. The purpose of this entry is to ensure that if your firewall allows a connection request to leave your network, the router doesn’t stop its return.

  • Entry 6—“deny ip [your network IP address] [your network mask] any log”—denies anyone from entering your network from the outside with an internal address (spoofing your network) and logs each packet occurrence. This is very important for good security.

  • Entry 7—“deny tcp any anyeq 22222 log”—denies the infamous Donald Dick and Prosiak ports.

  • Entry 8—“deny tcp any any range 60000 60020 log”—denies the Deepthroat and Sockets des Troie ports.

  • Entry 9—“deny udp any anyeqsnmp log”—denies any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery.

  • Entry 10—“permit ip any any”—permits packets that were not previously rejected to enter your network.


Monitoring and verifying acls

Monitoring and verifying ACLs


Task configure standard and extended acl

Task: Configure standard and Extended ACL


  • Login