NetworkClue.com
NetworkClue Home PageHome Contact UsContact ConsultingConsult
Bulletin Board
Internet Services covers Secrets to hosting websites, Hosting your own web server, and using DNS Servers.Operating Systems leads you through the decision of Linux vs. Windows, ideal installations and setups to create an efficient and redundant environment for your business, and great features to make management easier.Routing & Firewalls contains articles that will allow you to take control of your router. Learn how to protect your company with access lists and advanced firewall techniques.Hardware answers the common questions about Switches vs. Hubs, recommends SysAdmin Tools, and recommendations for adequate power protection.Utilities will cover fighting spam, using Anti-Virus programs effectively and the must haves for every administrator's software toolbox.

Firewalls
Cisco
-Cisco IOS
-Cisco Access Lists
-Applying ACLs
-Editing ACLs
-Advanced ACLs
-Compression
Network Equipment
TCP/IP
Bulletin Board

Applying Cisco Access Control Lists (ACLs)

By Joshua Erdman
Digital Foundation, inc.

Recall in the previous article how ACLs are made and when to use a standard ACL vs. an extended one.

Reusing our example:

Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

We will apply our ACLs to the serial (T1) interface to protect our network and to limit our user's Internet access to just web browsing.

Before we do that, we need to add one more entry to access-list 101 to allow HTTPS for web browsing. If you have a clue about TCP/IP you know that web browsing (HTTP) is done on port 80 and that web browsing securely (HTTPS) is done on port 443. So we also need to open port 443 if any user is to be able to let's say place an online order or check their bank account. Typically, the web page where you enter your personal information should be secure and thus requires the use of HTTPS.

The line we add is very similar to the line that is already in access list 101. You probably already have it figured out by now:

access-list 101 tcp permit 63.36.9.0 0.0.0.255 any eq 443

Now that our ACLs are complete, here is how we apply them to an interface.

In or Out

We first must decide the traffic that we are filtering is going in or out. Our users trying to access websites on the Internet is a good example of traffic going OUT from our business. Receiving e-mails from the Internet is a good example of traffic coming IN to our business. But depending on the interface you want to apply the ACLs to, will determine the direction of the traffic.

Take for example a router with 2 interfaces. It has a serial port, ser0/0, (AKA T-1 connection) and an ethernet port, eth0/0. The Internet traffic coming IN to our office is going IN the ser0/0 interface, but is also going OUT the eth0/0 interface to reach the office network. See how that works?

Now you have all kinds of options as to where you put your restrictions on your serial ports or your ethernet ports and this is just with a simple example!

For now we will activate the access lists on the serial port so the point of views (POV) are the same. Traffic coming IN the office is also going IN the serial port and traffic going OUT of the office is going OUT that same serial port.

Applying Access Lists

Finally the instructions you all have been waiting for! Make sure you are in enabled mode. Then use the command below:

conf t
int ser0/0
access-group 101 out
access-group 102 in

See how you must be in configuration mode of the interface to apply an access-list? Remember that you can only apply ONE ACL in each direction of an interface.

Our next article is on methods for Editing ACLs. This is very handy when you are dealing with several ACLs at once.

References:
Read up on editing ACLs for more information on adding new lines, more advanced entries for extended ACLs and removing ACLs from router memory.

Article last reviewed: 07/21/2003


del.icio.us

Created by: Digital Foundation, inc.

Copyright © 2002-2005 Digital Foundation, inc.   www.networkclue.com

All content of the NetworkClue website is copyrighted. Articles, notes, outlines, and all other materials may not be stored on the Internet or sold or placed by themselves or with other material in any electronic or printed format in whole or part. However materials may be referenced by links to the site.

 

Related Articles:
Editing ACLs
Access Control Lists
Advanced ACLs