In a previous lesson I covered the standard access-list, now it’s time to take a look at the extended access-list. This is the topology we’ll use:
Using the extended access-list we can create far more complex statements. Let’s say we have the following requirement:
- Traffic from network 1.1.1.0 /24 is allowed to connect to the HTTP server on R2, but they are only allowed to connect to IP address 2.2.2.2.
- All other traffic has to be denied.
Now we need to translate this to an extended access-list statement. Basically they look like this:
[source] + [ source port] to [destination] + [destination port]
Let’s walk through the configuration together:
R2(config)#access-list 100 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
First of all we need to select a permit or deny. By the way you can also use a remark. You can use this to add a comment to your access-list statements. I’ll select the permit…
R2(config)#access-list 100 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
Now we have a lot more options. Since I want something that permits HTTP traffic we’ll have to select TCP. Let’s continue:
R2(config)#access-list 100 permit tcp ?
A.B.C.D Source address
any Any source host
host A single source host
Now we have to select a source. I can either type in a network address with a wildcard or I can use the any or host keyword. These two keywords are “shortcuts”, let me explain:
- If you type “0.0.0.0 255.255.255.255” you have all networks. Instead of typing this we can use the any keyword.
- If you type something like “2.2.2.2 0.0.0.0” we are matching a single IP address. Instead of typing the “0.0.0.0” wildcard we can use the keyword host.
I want to select network 1.1.1.0 /24 as the source so this is what we will do:
R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
Besides selecting the source we can also select the source port number. Keep in mind that when I connect from R1 to R2’s HTTP server that my source port number will be random so I’m not going to specify a source port number here.
R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
We will select the destination which is IP address 2.2.2.2. I could have typed “2.2.2.2 0.0.0.0” but it’s easier to use the host keyword. Besides the destination IP address we can select a destination port number with the eq keyword:
R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80
This will be the end result. Before we apply it to the interface I will add one useful extra statement:
R2(config)#access-list 100 deny ip any any log
Using the statement above I can make that invisible “deny any” visible. The log keyword will output all denied packets to the console.
Now let’s apply it and give it a test run!
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 100 in
We’ll apply it to the interface inbound. Don’t forget to enable the HTTP server:
R2(config)#ip http server
Now let’s generate some traffic:
R1#telnet 2.2.2.2 80
Trying 2.2.2.2, 80 ...
% Destination unreachable; gateway or host down
I don’t need a web browser to test if the HTTP server is running. I can use telnet to connect to TCP port 80. The traffic above is denied as you will see on the console of R2:
R2# %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.12.1(55419) -> 2.2.2.2(80), 1 packet
Or we can take a look at the matches on the access-list:
R2#show access-lists
Extended IP access list 100
10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www
20 deny ip any any log (1 match)
The packet was denied because the source IP address was 192.168.12.1. Let’s connect from IP address 1.1.1.1:
R1#telnet 2.2.2.2 80 /source-interface loopback 0
Trying 2.2.2.2, 80 ... Open
There we go! It now says open which means that it connected. When we use telnet we can select the source interface. The packet is now allowed because it matches the first statement of the access-list.
If I want to remove a single statement from my access-list I have two options:
- Copy your access-list to notepad, edit it and paste it back to your router and use a new access-list..
- Use the access-list editor.
The access-list editor sounds easier right? This is how it works:
R2(config)#ip access-list extended 100
Use the ip access-list command to create new access-list or modify current ones. Your console will look like this:
R2(config-ext-nacl)#
Now we can add or remove statements:
R2(config-ext-nacl)#?
Ext Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
Let’s remove statement 20 from access-list 100:
R2(config-ext-nacl)#do show access-list 100
Extended IP access list 100
10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)
20 deny ip any any log (1 match)
This is what it looks like now…
R2(config-ext-nacl)#no 20
Type no in front of the sequence number and it will be gone:
R2(config-ext-nacl)#do show access-list 100
Extended IP access list 100
10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)
Voila it’s now gone.
Last but not least we can also create a named access-list. Let’s create something that denies ICMP traffic from R2 to R1’s loopback0 interface but allows everything else:
R1(config)#ip access-list extended DROPICMP
R1(config-ext-nacl)#deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255
R1(config-ext-nacl)#deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
This is what the access-list will look like. I’ll call it “DROPICMP”. The first statement will drop ICMP traffic from IP address 192.168.12.2 and the second line is for IP address 2.2.2.2. All other traffic is permitted. Let’s apply it to the interface:
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group DROPICMP in
Now let’s test it:
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)R1#show access-lists
Extended IP access list DROPICMP
10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)
20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
30 permit ip any any
The first ping is failing as it should…
R2#ping 1.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)R1#show access-lists
Extended IP access list DROPICMP
10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)
20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (15 matches)
30 permit ip any any
And the second ping fails too…
Let’s do something crazy to get a match on the last statement:
R2#telnet 1.1.1.1
Trying 1.1.1.1 ...R1#show access-lists
Extended IP access list DROPICMP
10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (27 matches)
20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (18 matches)
30 permit ip any any (12 matches)
I didn’t configure telnet on R1 but my packets will hit the last statement anyway. That’s all I wanted to show you about extended access-lists. It will take some time to get used to reading and creating these access-lists. Just make sure you practice a lot and it will become easy.
hostname R1
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
ip access-group DROPICMP in
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
ip access-list extended DROPICMP
deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255
deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
permit ip any any
!
endhostname R2
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
ip access-group 100 in
!
interface Loopback0
ip address 2.2.2.1 255.255.255.0
!
access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80
access-list 100 deny ip any any log
!
ip http server
!
endI hope you enjoyed this lesson, if so, please leave a comment!
No comments:
Post a Comment