ACLs Flashcards
ACLs Overview
ACLs are used in both security and in other software policies when traffic has to be identified
Identify traffic to give better service to in a QoS policy
Identify traffic to translate to a different IP (NAT Policy)
ACEs
Access Control Entries:
ACLs are made up of ACEs
Each ACE is on a separate line
Original Implementation: Standard vs. Extended ACLs
Standard ACLs reference the source address only
Extended ACLs check based on protocol, source address, destination address, & port number
Standard ACL Range: 1 - 99
Extended ACL Range: 100 - 199
ACL Improvement: Expanded Ranges
Cisco expanded the original ACL Ranges
Standard: 1 - 99 | 1300 - 1999
Extended: 100 - 199 | 2000 - 2699
Standard Access List Example
Access-list 1 deny 10.10.10.10 0.0.0.0
Access-list 1 permit 10.10.10.0 0.0.0.255
Extended Access List Example
Access-list 100 deny tcp 10.10.10.10 0.0.0.0 gt 49151 10.10.50.10 0.0.0.0 eq 23
—> Gt 49151 = greater than 49151
Access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
There is no default wildcard mask for Extended ACLs
ACL Improvement: Named ACLs
You can now reference ACLs by number or name
Named ACLs begin with “ip access-list” instead of “access-list”
Example:
Ip access-list standard Flackbox-Demo
Deny 10.10.10.10 0.0.0.0
Permit 10.10.10.0 0.0.0.255
**Specify if standard or extended after “ip access-list”
ACL Syntax #1: Action
deny - Specify packets to reject
permit - Specify packets to forward
remark - Access list entry comment
ACL Syntax #2: Protocol
Use TCP or UDP if you want the ACE to apply to traffic for a particular application between a source/destination address
Use IP if you want the ACE to apply to all traffic between a source/destination address
Other protocols: ahp eigrp esp gre icmp ospf
ACL Syntax #3: Source
A.B.C.D - Source address
any - Any source host
host - A single source host
ACL Syntax #4: Wildcards
Wildcards save you typing out the wildcard mask
These examples mean the same thing:
access-list 100 permit tcp 10.10.10.10 0.0.0.0
access-list 100 permit tcp host 10.10.10.10
access-list 100 permit tcp 0.0.0.0 255.255.255.255
access-list 100 permit tcp any
ACL Syntax #5: Source Port Number
Specifying the source port number is optional, it defaults to any port
access-list 100 permit tcp 10.10.10.0 0.0.0.255 ?
A.B.C.D - Destination address
any - Any destination host
eq - Match only packets on a given port number
gt - Match only packets with a greater port number
host - A single destination host
lt - Match only packets with a lower port number
neq - Match only packets not on a given port number
range - Match only packets in the range of port numbers
ACL Syntax #6: Destination
Same format as source address
ACL Syntax #7: Final Options
Additional options are available after entering the destination address such as destination port, TCP flags, & logging
access-list 100 permit tcp host 10.10.10.10 10.10.20.0 0.0.0.255 ?
ack - Match on the ACK bit
eq - Match only packets on a given port number
established - Match established connections
fin - Match on the FIN bit
gt - Match only packets with a greater port number
log - Log matches against this entry
log-input - Log matches against this entry, including input interface
lt - Match only packets with a lower port number
neq - Match only packets not on a given port number
range - Match only packets int he range of port numbers
rst - Match on the RST bit
syn - Match on the SYN bit
urg - Match on the URG bit
Command: Verify ACLs
show access-lists 100
(Specify number at the end)
The “log” keyword is not required to log hit counts. It is used to log to the console or an external monitoring server
Access Groups
ACLs are applied at the interface level with the Access-Group command
ACLs can be applied in the inbound or outbound direction
You can have a max of one ACL per interface per direction
You can have both an inbound & and outbound ACL on the same interface, but not 2 inbound or outbound ACLs
An interface can have no ACL applied, an inbound ACL only, an outbound ACL only, or ACLs in both directions
Command: Configure access groups on interface G0/1
interface g0/1
ip access-group 100 out
ip access-group 101 in
Configure rules for both inbound and outbound connections (1 per)
Command: Verify access list information on interface F1/0
show ip interface f1/0 | include access list
ACE Order
The ACL is read by the router from top to bottom
As soon as a rule matches the packet, the permit/deny action is applied & the ACL is not processed any further
The order of rules is important
Injecting ACEs in an existing ACL
ACEs are automatically numbered in increments of 10
Support for injecting ACEs in an existing ACL started in Named ACLs but is also supported in Numbered ACLs now
Example:
ip access-list extended 110
15 deny tcp host 10.10.10.11 host 10.10.50.10 eq telnet
The 15 in the beginning would place the entry between 10 & 20 (since by default they increment by 10)
Implicit Deny All
There is an implicit “deny any any” rule at the bottom of ACLs
If an ACL is not applied to an interface, all traffic is allowed
If an ACL is applied, all traffic is denied except what is explicitly allowed
Explicit Deny All
Many organizations include an explicit deny all at the end of ACLs to log illegal traffic
Example:
access-list 1 deny any log
Explicit Permit All
If an ACL is applied, all traffic is denied except what is explicitly allowed
If you want to reverse this so that all traffic is permitted except what is explicitly denied, add a permit all statement to the end of the ACL
Example:
access-list 1 permit any
Traffic Source from Router
ACLs applied to an interface do not apply to traffic which originates from the router itself
