ACLs Flashcards
ACLs Overview
ACLs are used in both security and in other software policies when traffic has to be identified
Identify traffic to give better service to in a QoS policy
Identify traffic to translate to a different IP (NAT Policy)
ACEs
Access Control Entries:
ACLs are made up of ACEs
Each ACE is on a separate line
Original Implementation: Standard vs. Extended ACLs
Standard ACLs reference the source address only
Extended ACLs check based on protocol, source address, destination address, & port number
Standard ACL Range: 1 - 99
Extended ACL Range: 100 - 199
ACL Improvement: Expanded Ranges
Cisco expanded the original ACL Ranges
Standard: 1 - 99 | 1300 - 1999
Extended: 100 - 199 | 2000 - 2699
Standard Access List Example
Access-list 1 deny 10.10.10.10 0.0.0.0
Access-list 1 permit 10.10.10.0 0.0.0.255
Extended Access List Example
Access-list 100 deny tcp 10.10.10.10 0.0.0.0 gt 49151 10.10.50.10 0.0.0.0 eq 23
—> Gt 49151 = greater than 49151
Access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
There is no default wildcard mask for Extended ACLs
ACL Improvement: Named ACLs
You can now reference ACLs by number or name
Named ACLs begin with “ip access-list” instead of “access-list”
Example:
Ip access-list standard Flackbox-Demo
Deny 10.10.10.10 0.0.0.0
Permit 10.10.10.0 0.0.0.255
**Specify if standard or extended after “ip access-list”
ACL Syntax #1: Action
deny - Specify packets to reject
permit - Specify packets to forward
remark - Access list entry comment
ACL Syntax #2: Protocol
Use TCP or UDP if you want the ACE to apply to traffic for a particular application between a source/destination address
Use IP if you want the ACE to apply to all traffic between a source/destination address
Other protocols: ahp eigrp esp gre icmp ospf
ACL Syntax #3: Source
A.B.C.D - Source address
any - Any source host
host - A single source host
ACL Syntax #4: Wildcards
Wildcards save you typing out the wildcard mask
These examples mean the same thing:
access-list 100 permit tcp 10.10.10.10 0.0.0.0
access-list 100 permit tcp host 10.10.10.10
access-list 100 permit tcp 0.0.0.0 255.255.255.255
access-list 100 permit tcp any
ACL Syntax #5: Source Port Number
Specifying the source port number is optional, it defaults to any port
access-list 100 permit tcp 10.10.10.0 0.0.0.255 ?
A.B.C.D - Destination address
any - Any destination host
eq - Match only packets on a given port number
gt - Match only packets with a greater port number
host - A single destination host
lt - Match only packets with a lower port number
neq - Match only packets not on a given port number
range - Match only packets in the range of port numbers
ACL Syntax #6: Destination
Same format as source address
ACL Syntax #7: Final Options
Additional options are available after entering the destination address such as destination port, TCP flags, & logging
access-list 100 permit tcp host 10.10.10.10 10.10.20.0 0.0.0.255 ?
ack - Match on the ACK bit
eq - Match only packets on a given port number
established - Match established connections
fin - Match on the FIN bit
gt - Match only packets with a greater port number
log - Log matches against this entry
log-input - Log matches against this entry, including input interface
lt - Match only packets with a lower port number
neq - Match only packets not on a given port number
range - Match only packets int he range of port numbers
rst - Match on the RST bit
syn - Match on the SYN bit
urg - Match on the URG bit
Command: Verify ACLs
show access-lists 100
(Specify number at the end)
The “log” keyword is not required to log hit counts. It is used to log to the console or an external monitoring server