© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 2 Objectives  Explain how ACLs are used to secure a medium-size Enterprise branch office network.  Configure standard ACLs in a medium-size Enterprise branch office network.  Configure extended ACLs in a medium-size Enterprise branch office network.  Describe complex ACLs in a medium-size Enterprise branch office network.  Implement, verify and troubleshoot ACLs in an enterprise network environment.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 3 How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  What is ACL?  An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header.  Steps that occur in a complete TCP conversation

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 4 Conti…  ACLs control access to networks  Packet filtering works at Network Layer.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 5 Conti…  Flow chart to show how ACLs operate

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 6 A general rule for applying ACLs  One ACL per protocol-  One ACL per direction  One ACL per interface

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 7 Conti…  ACLs perform the following tasks: –Limit network traffic to increase network performance –Provide a basic level of security for network access. –Decide which types of traffic to forward or block at the router interfaces. –Control which areas a client can access on a network. –Screen hosts to permit or deny access to network services. –ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 8 How ACLs Work  Inbound ACLs  Outbound ACLs  ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time.  A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" instruction.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 9 Types of ACLs  Standard ACLs  Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. Range from 1-99  Extended ACLs  Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports  Naming ACLs  Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not inform you of the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 10 Conti…  The two main tasks involved in using ACLs are as follows:  Step 1. Create an access list by specifying an access list number or name and access conditions.  Step 2. Apply the ACL to interfaces or terminal lines.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 11 Where to place ACLs  Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are: –Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. –Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 12 General Guide Lines for Creating ACLs  Base your ACLs on the security policy of the organization.  Prepare a description of what you want your ACLs to do.  Use a text editor to create, edit and save ACLs.  Test your ACLs on a development network before implementing them on a production network.  Benefits  This will ensure you implement organizational security guidelines.  This will help you avoid inadvertently creating potential access problems.  This will help you create a library of reusable ACLs.  This will help you avoid costly errors.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 13 Configuring Standard ACL  Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard]  E.g  R1(config)#access-list 10 permit  The any and host Keywords  After a standard ACL is configured, it is linked to an interface using the ip access-group command:  Router(config-if)#ip access-group 1 out

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 14 Host and Any  Example 1  R1(config)#access-list 10 permit  R1(config)#access-list 10 permit any  Example 2  R1(config)#access-list 10 permit  R1(config)#access-list 10 permit host

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 15 Conti…  Cisco ACLs can be identified using standardized numbering or names

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 16 Conti…  Where ACLs should be placed in a network

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 17 Applying ACL  Apply a standard ACL to an interface

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 18 Controlling VTY Access  R1(config)#access-list 10 permit  R1(config)#access-list 10 permit  R1(config)#access-list 10 deny any  Implementing ACL on vty  R1(config)#line vty 0 4  R1(config-line)#password secret  R1(config-line)#login  R1(config-line)#access-class 10 in

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 19 Named ACLs  R1(config)#ip access-list standard NO_ACCESS  R1(config-std-nacl)#deny host  R1(config-std-nacl)#permit  R1(config)#interface fa0/0  R1(config-if)#ip access-group NO_ACCESS out

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 20 Testing for ports and services  Using port numbers  R1(config)#access-list 101 permit tcp any eq 23  R1(config)#access-list 101 permit tcp any eq 21  R1(config)#access-list 101 permit tcp any eq 20  Using service name  R1(config)#access-list 101 permit tcp any eq telnet  R1(config)#access-list 101 permit tcp any eq ftp  R1(config)#access-list 101 permit tcp any eq ftp-data  Or  R1(config)#access-list 101 permit tcp any eq ?

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 21 Types of Complex ACLs  Dynamic ACLs  Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only.  Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists.  Reflexive ACLs  Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network.  Time-based ACLs  Time-based ACLs allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 22 Verifying ACLs  How to monitor and verify ACLs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 23 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Describe how to troubleshoot common ACL problems

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 24 Implement, Verify and Troubleshoot ACLs in an Enterprise Network Environment  Create, place and verify a standard/ extended ACL and verify its placement.  Verify ACL’s functionality and troubleshoot as needed.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 25 Summary  An Access List (ACL) is: A series of permit and deny statements that are used to filter traffic  Standard ACL –Identified by numbers and –Filter traffic based on source IP address  Extended ACL –Identified by number & –Filter traffic based on Source IP address Destination IP address Protocol Port number

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 26 Summary  Named ACL –Used with IOS 11.2 and above –Can be used for either standard or extended ACL  ACL’s use Wildcard Masks (WCM) –Described as the inverse of a subnet mask Reason –0  check the bit –1  ignore the bit

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 27 Summary  Implementing ACLs –1 st create the ACL –2 nd place the ACL on an interface Standard ACL are placed nearest the destination Extended ACL are placed nearest the source  Use the following commands for verifying & troubleshooting an ACL –Show access-list –Show interfaces –Show run

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 28 Summary  Complex ACL –Dynamic ACL –Reflexive ACL –Time based ACL

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 29