NetworkClue.com
NetworkClue Home PageHome Contact UsContact ConsultingConsult
Bulletin Board
Internet Services covers Secrets to hosting websites, Hosting your own web server, and using DNS Servers.Operating Systems leads you through the decision of Linux vs. Windows, ideal installations and setups to create an efficient and redundant environment for your business, and great features to make management easier.Routing & Firewalls contains articles that will allow you to take control of your router. Learn how to protect your company with access lists and advanced firewall techniques.Hardware answers the common questions about Switches vs. Hubs, recommends SysAdmin Tools, and recommendations for adequate power protection.Utilities will cover fighting spam, using Anti-Virus programs effectively and the must haves for every administrator's software toolbox.

Firewalls
Cisco
-Cisco IOS
-Cisco Access Lists
-Applying ACLs
-Editing ACLs
-Advanced ACLs
-Compression
Network Equipment
TCP/IP
Bulletin Board

Cisco Access Control Lists (ACL)

By Joshua Erdman
Digital Foundation, inc.

The Cisco access control list (ACL) is probably the most commonly used object in the IOS. It is not only used for packet filtering (a type of firewall) but also for selecting types of traffic to be analyzed, forwarded, or influenced in some way.

Access Control List Types

Cisco ACLs are divided into types. Standard IP, Extended IP, IPX, Appletalk, etc. Here we will just go over the standard and extended access lists for TCP/IP.

As you create ACLs you assign a number to each list, however, each type of list is limited to an assigned range of numbers. This makes it very easy to determine what type of ACL you will be working with.

TCP/IP Access Lists

You can have up to 99 Standard IP Access Lists ranging in number from 1 to 99, the Extended IP Access Lists number range is assigned from 100 to 199. The most common use of the Extended IP access list to is create a packet filtering firewall. This is where you specify the allowed destinations of each packet from an allowed source.

Standard IP Access Lists

A Standard Access List only allows you to permit or deny traffic from specific IP addresses. The destination of the packet and the ports involved do not matter.

Here is an example:

access-list 10 permit 192.168.3.0 0.0.0.255

This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255

You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use inverse subnet masks. Also realize that by default, there is an implicit deny added to every access list. If you entered the command:
show access-list 10
The output would be:

access-list 10 permit 192.168.3.0 0.0.0.255
access-list 10 deny any

Extended IP Access Lists

Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very grangular and allows you to be very specific. If you intend to create a packet filtering firewall to protect your network it is an Extended ACL that you will need to create.

Typically you would allow outgoing traffic and incoming initiated traffic. In other words, you want your users to be able to connect to web servers on the internet for browsing but you do not want anyone on the Internet to be able to connect to your machines. This will require 2 ACLs. One to only limit our users on the company network to only use a web browser (so this will block outgoing FTP, e-mail, Kazaa, napster, online gaming, etc.) The other access-list will only allow incoming traffic from the Internet that has been initiated from a machine on the inside. This is called an established connection. Let's see what our access list would look like for starters:

Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

ACL 101

As you can see, ACL 101 says to permit traffic originating from any address on the 63.36.9.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80 (which is the web port for HTTP). This is still only half of the solution. If you only use this access list you have totally accomplished limiting your users from doing nothing more on the internet than just be able to browse from website to website. However, you have taken no action on the incoming trafic. The Internet still has full access to all the IPs and all the ports. This leaves you vulnerable.

ACL 102

Since you only want your users to be able to browse the Internet, you must block all incoming traffic accept for the established connections in which the websites are replying to a computer on your network. Doing this is impossible unless you use the 'established' command.

Now that we are familiar with the 'established' command, ACL 102 simply states to permit established traffic from anywhere to all computers within our 63.36.9.0 network.

You may ask why access-list 102 does not read:

access-list 102 permit tcp any any established

In this situation this works just as good, but because it is not as specific, it is considered a hole or an area of vulnerability (especially if you ever got another block of IP addresses).

Activating an Access Control List

Now that you have created these ACLs they are useless until you declare them to be used in some way. As of right now they are an inactive list doing nothing. Our next article will cover applying ACLs on interfaces and how to specify if the ACL is for incoming or outgoing traffic on that interface.

Article last reviewed: 12/15/2003


del.icio.us

Created by: Digital Foundation, inc.

Copyright © 2002-2005 Digital Foundation, inc.   www.networkclue.com

All content of the NetworkClue website is copyrighted. Articles, notes, outlines, and all other materials may not be stored on the Internet or sold or placed by themselves or with other material in any electronic or printed format in whole or part. However materials may be referenced by links to the site.

 

Related Articles:
ACL Samples
Applying ACLs
Editing Access Lists
Advanced ACLs

 

Advertise Here

 

Advertise Here