ACL: Standard

by Cyrus Lok on Friday, December 18, 2009 at 1:35pm

ACL when applied to the wrong interface or to the correct interface but wrong direction is disastrous.

If applied to the wrong interface, or I should not say it’s wrong… Applying ACL to the appropriate interface will cause traffic to be filtered too much.

ACL has lots of application, it is used in conjunction with NAT and filtering for undesirable traffic from the outside or block traffic from the inside to the outside of the router. (probably that is why router is also know as the gateway, this access list is similar to gate keeper with a whitelist)

Recommendations for applying access-list (not a strict rule) are:
1. For standard access list, apply this closer to the destination.
2. For extended access list, apply this closer to the source.

Standard access list: Router screens the source address only.
Extended access list: Router screens the source and destination address, type of protocols, source and destination ports.

Note: At the end of the access list there is an implicit deny if you do not have a permit statement at the end of your list all other traffic that’s not define in the list will be denied.

Application for standard access list example:

Scenario 1a:
I want to grant only a host from ITD to telnet to my router, and deny other hosts from telneting my router.

3 vlans:
vlan 10: subnet 192.168.0.0/28, ITD
vlan 20: subnet 192.168.0.16/28, Sales
vlan 30: subnet 192.168.0.32/28, HQ

Router-on-a-stick is used for vlan-vlan routing.

I want to grant 192.168.0.1 to telnet to the router only and denies the rest.

in global configuration mode:
R1(config)#access-list 10 permit 192.168.0.1 0.0.0.0.0 <cr> or
R1(config)#access-list 10 permit host 192.168.0.1 <cr>

in line virtual terminal line 0 to 4 apply the access list:
R1(config-line)#access-class 10 in

Your access list is applied, so only 192.168.0.1 will be allowed inside (telnet)

Scenario 1b:

I want all ITD users to be allowed to telnet to the router so that they can troubleshoot network issues, but deny other hosts from accessing my router via telnet.

VLAN10 is using /28 subnet prefix, hence it is this 255.255.255.240, block size is 16, maximum host in this subnet is 16 -2 = 14 hosts.

R1(config)#access-list 10 permit 192.168.0.0 0.0.0.15 <cr>
R1(config)#line vty 0 4 <cr>
R1(config-line)#access-class 10 in <cr>

0.0.0.15 is the wild card mask. 0 means I care the number don’t touch it! 255 means I don’t care, any number will do. How I get 15? ITD has 14 hosts max and I only want ITD hosts to access router via telnet and deny other hosts, if I use 0.0.0.255, wow… then other ip addresses that start with 192.168.0.x will be allowed to telnet!
So if you want to define a specific range using wild card mask always subtract 1 from the block size.
Wild card mask is also used for ospf (mandatory) and eigrp (optional, but it is always good to advertise specific networks) configuration.

Scenario 2:

I want everyone to access the internet except for 192.168.0.30. My ISP only gave me one public ip address 12.1.1.10/27 (255.255.255.224)

3 vlans:
vlan 10: subnet 192.168.0.0/28, ITD
vlan 20: subnet 192.168.0.16/28, Sales
vlan 30: subnet 192.168.0.32/28, HQ

Router-on-a-stick is used for vlan-vlan routing.

R1(config)#access-list 10 deny 192.168.0.30 <cr>
R1(config)#access-list 10 permit any <cr> or

R1(config)#access-list 10 deny 192.168.0.30 <cr>
R1(config)#access-list 10 permit 192.168.0.0 0.0.0.255 <cr>

It is always a good practice (in my opinion) to define my access list as explicit as possible, the first way of writing the list allows other subnets that was just added to access the net, but I may not want those host from the newly added subnet to surf internet!.

Do note that access list statement is process sequentially.
If I write in this way:
R1(config)#access-list 10 permit 192.168.0.0 0.0.0.255 <cr>
R1(config)#access-list 10 deny 192.168.0.30 <cr>

Then 192.168.0.30 can still surf the internet. Because this address got away due to the first permit statement (nay nay nay nay ♬, bleah :p)

I will complete the statement for use of this access list to be used by NAT.

Router’s s0/0/0 is connected to my ISP’s router.

s0/0/0 will be labeled as outbound:
interface se0/0/0 <cr>
ip address 12.1.1.10 255.255.255.224 <cr>
no shutdown <cr>
ip nat outside <cr>

fa0/0 is connected to fa0/1 of switch; assumed all ip addresses (default gateway for each vlan) are configured and dot1q has been tagged to specific vlan.
interface fa0/0.10 <cr> (vlan 10)
ip nat inside <cr>
int fa0/0.20 <cr>
ip nat inside <cr>
int fa0/0.30 <cr>
ip nat inside <cr>

go back to global configuration mode and type in:
R1(config)#ip nat inside source list 10 interface se0/0/0 overload or

R1(config)#ip nat pool MY_INTERNET 12.1.1.10 12.1.1.10 netmask 255.255.255.224
(define a pool of global inside address)
R1(config)#ip nat inside source list 10 pool MY_INTERNET overload

The first method is easier than the second one, the second one defines a pool of addresses for use with NAT dynamic.

Extended ACL will be posted later, I need some sleep now. Hahaha….xD

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s