暗夜星空: ACL

Showing posts with label ACL. Show all posts

Saturday, February 22, 2020

Extended Access-List example on Cisco Router

In a previous lesson I covered the standard access-list, now it’s time to take a look at the extended access-list. This is the topology we’ll use:

Using the extended access-list we can create far more complex statements. Let’s say we have the following requirement:

Traffic from network 1.1.1.0 /24 is allowed to connect to the HTTP server on R2, but they are only allowed to connect to IP address 2.2.2.2.
All other traffic has to be denied.

Now we need to translate this to an extended access-list statement. Basically they look like this:

[source] + [ source port] to [destination] + [destination port]

Let’s walk through the configuration together:

R2(config)#access-list 100 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment

First of all we need to select a permit or deny. By the way you can also use a remark. You can use this to add a comment to your access-list statements. I’ll select the permit…

R2(config)#access-list 100 permit ?
  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco's EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

Now we have a lot more options. Since I want something that permits HTTP traffic we’ll have to select TCP. Let’s continue:

R2(config)#access-list 100 permit tcp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host

Now we have to select a source. I can either type in a network address with a wildcard or I can use the any or host keyword. These two keywords are “shortcuts”, let me explain:

If you type “0.0.0.0 255.255.255.255” you have all networks. Instead of typing this we can use the any keyword.
If you type something like “2.2.2.2 0.0.0.0” we are matching a single IP address. Instead of typing the “0.0.0.0” wildcard we can use the keyword host.

I want to select network 1.1.1.0 /24 as the source so this is what we will do:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ?
  A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers

Besides selecting the source we can also select the source port number. Keep in mind that when I connect from R1 to R2’s HTTP server that my source port number will be random so I’m not going to specify a source port number here.

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  <cr>

We will select the destination which is IP address 2.2.2.2. I could have typed “2.2.2.2 0.0.0.0” but it’s easier to use the host keyword. Besides the destination IP address we can select a destination port number with the eq keyword:

R2(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80

This will be the end result. Before we apply it to the interface I will add one useful extra statement:

R2(config)#access-list 100 deny ip any any log

Using the statement above I can make that invisible “deny any” visible. The log keyword will output all denied packets to the console.

Now let’s apply it and give it a test run!

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 100 in

We’ll apply it to the interface inbound. Don’t forget to enable the HTTP server:

R2(config)#ip http server

Now let’s generate some traffic:

R1#telnet 2.2.2.2 80
Trying 2.2.2.2, 80 ... 
% Destination unreachable; gateway or host down

I don’t need a web browser to test if the HTTP server is running. I can use telnet to connect to TCP port 80. The traffic above is denied as you will see on the console of R2:

R2# %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.12.1(55419) -> 2.2.2.2(80), 1 packet

Or we can take a look at the matches on the access-list:

R2#show access-lists 
Extended IP access list 100
    10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www
    20 deny ip any any log (1 match)

The packet was denied because the source IP address was 192.168.12.1. Let’s connect from IP address 1.1.1.1:

R1#telnet 2.2.2.2 80 /source-interface loopback 0
Trying 2.2.2.2, 80 ... Open

There we go! It now says open which means that it connected. When we use telnet we can select the source interface. The packet is now allowed because it matches the first statement of the access-list.

If I want to remove a single statement from my access-list I have two options:

Copy your access-list to notepad, edit it and paste it back to your router and use a new access-list..
Use the access-list editor.

The access-list editor sounds easier right? This is how it works:

R2(config)#ip access-list extended 100

Use the ip access-list command to create new access-list or modify current ones. Your console will look like this:

R2(config-ext-nacl)#

Now we can add or remove statements:

R2(config-ext-nacl)#?
Ext Access List configuration commands:
  <1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment

Let’s remove statement 20 from access-list 100:

R2(config-ext-nacl)#do show access-list 100
Extended IP access list 100
    10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)
    20 deny ip any any log (1 match)

This is what it looks like now…

R2(config-ext-nacl)#no 20

Type no in front of the sequence number and it will be gone:

R2(config-ext-nacl)#do show access-list 100
Extended IP access list 100
    10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)

Voila it’s now gone.

Last but not least we can also create a named access-list. Let’s create something that denies ICMP traffic from R2 to R1’s loopback0 interface but allows everything else:

R1(config)#ip access-list extended DROPICMP  
R1(config-ext-nacl)#deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255
R1(config-ext-nacl)#deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255     
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit

This is what the access-list will look like. I’ll call it “DROPICMP”. The first statement will drop ICMP traffic from IP address 192.168.12.2 and the second line is for IP address 2.2.2.2. All other traffic is permitted. Let’s apply it to the interface:

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group DROPICMP in

Now let’s test it:

R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#show access-lists 
Extended IP access list DROPICMP
    10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)
    20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
    30 permit ip any any

The first ping is failing as it should…

R2#ping 1.1.1.1 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2 
.....
Success rate is 0 percent (0/5)

R1#show access-lists 
Extended IP access list DROPICMP
    10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)
    20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (15 matches)
    30 permit ip any any

And the second ping fails too…

Let’s do something crazy to get a match on the last statement:

R2#telnet 1.1.1.1   
Trying 1.1.1.1 ...

R1#show access-lists 
Extended IP access list DROPICMP
    10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (27 matches)
    20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (18 matches)
    30 permit ip any any (12 matches)

I didn’t configure telnet on R1 but my packets will hit the last statement anyway. That’s all I wanted to show you about extended access-lists. It will take some time to get used to reading and creating these access-lists. Just make sure you practice a lot and it will become easy.

hostname R1
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 ip access-group DROPICMP in
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
ip access-list extended DROPICMP
 deny   icmp host 192.168.12.2 1.1.1.0 0.0.0.255
 deny   icmp host 2.2.2.2 1.1.1.0 0.0.0.255
 permit ip any any
!
end

hostname R2
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 ip access-group 100 in
!
interface Loopback0
 ip address 2.2.2.1 255.255.255.0
!
access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80
access-list 100 deny ip any any log
!
ip http server
!
end

I hope you enjoyed this lesson, if so, please leave a comment!

Standard access-list example on Cisco Router

Let’s configure some access-lists so I can demonstrate to you how this is done on Cisco IOS routers. In this lesson we’ll cover the standard access-list. Here’s the topology:

Two routers and each router has a loopback interface. I will use two static routes so that the routers can reach each other’s loopback interface:

R1(config)#ip route 2.2.2.0 255.255.255.0 192.168.12.2

R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1

If you choose to use a routing protocol to advertise networks, be careful that your access-list doesn’t block your RIP, EIGRP or OSPF traffic…

Now let’s start with a standard access-list! I’ll create something on R2 that only permits traffic from network 192.168.12.0 /24:

R2(config)#access-list 1 permit 192.168.12.0 0.0.0.255

This single permit entry will be enough. Keep in mind at the bottom of the access-list is a “deny any”. We don’t see it but it’s there. Let’s apply this access-list inbound on R2:

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 1 in

Use the ip access-group command to apply it to an interface. I applied it inbound with the in keyword.

R2#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
  Internet address is 192.168.12.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 1

You can verify that the access-list has been applied with the show ip interface command. Above you see that access-list 1 has been applied inbound.

Now let’s generate some traffic…

R1#ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Our ping is successful; let’s check the access-list:

R2#show access-lists 
Standard IP access list 1
    10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)

As you can see the access-list shows the number of matches per statement. We can use this to verify our access-list. Let me show you something useful when you are playing with access-lists:

R1#ping 192.168.12.2 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
U.U.U
Success rate is 0 percent (0/5)

When you send a ping you can use the source keyword to select the interface. The source IP address of this IP packet is now 1.1.1.1 and you can see these pings are failing because the access-list drops them.

R2#show access-lists 
Standard IP access list 1
    10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)

You won’t see them with the show access-list command because the “deny any” is dropping them.

What if I wanted something different? Let’s say I want to deny traffic from network 192.168.12.0 /24 but permit all other networks? I can do something like this:

R2(config)#access-list 2 deny 192.168.12.0 0.0.0.255
R2(config)#access-list 2 permit any

I’ll create a new access-list and the first statement will deny network 192.168.12.0 /24. The second statement is a permit any. Because of this permit any nothing will ever hit the invisible “deny any” with the exception of 192.168.12.0 /24. Let’s apply the new access-list:

R2(config-if)#no ip access-group 1 in
R2(config-if)#ip access-group 2 in

Now it’s active, let’s give it a test run:

R1#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R2#show access-lists 2
Standard IP access list 2
    10 deny   192.168.12.0, wildcard bits 0.0.0.255 (11 matches)
    20 permit any

These pings are hitting the first statement and are dropped….

R1#ping 2.2.2.2 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms


R2#show access-lists 2
Standard IP access list 2
    10 deny   192.168.12.0, wildcard bits 0.0.0.255 (11 matches)
    20 permit any (15 matches)

And pings from the loopback0 interface of R1 are hitting the second statement and are allowed.

If I want to remove a statement from an access-list, you will await a nice surprise:

R2(config)#no access-list 2 deny 192.168.12.0 0.0.0.255

Let’s say I want to remove the statement above. I’ll type no access-list and this is what you’ll discover:

R2#show access-lists 2

The whole access-list is gone…ouch! You can’t use no access-list to remove a statement. Your router will just accept “no access-list 2” and remove the whole access-list. Fun to discover in a lab, not so much fun on a production network. I’ll show you how to deal with this in a bit.

Besides applying an access-list inbound or outbound you can also apply them to the VTY lines. This is useful if you want to secure telnet or SSH access to your router. Let’s configure R1 so telnet access is only allowed from network 192.168.12.0 /24:

R1(config)#access-list 3 permit 192.168.12.0 0.0.0.255
R1(config)#line vty 0 4
R1(config-line)#access-class 3 in

Above you can see that I created access-list 3 but I used the access-class command on the VTY lines. On interfaces we use the “access-group” command but on VTY lines you need to use “access-class” to apply them.

Let’s try to use telnet:

R2#telnet 192.168.12.1
Trying 192.168.12.1 ... Open

Password required, but none set

[Connection to 192.168.12.1 closed by foreign host]

It says “open” which means that it connects. The connection is closed because I didn’t configure a password for telnet but the access-list should work:

R1#show access-lists 
Standard IP access list 3
    10 permit 192.168.12.0, wildcard bits 0.0.0.255 (2 matches)

You can see that the packets have matched the statement in access-list 3.

hostname R1
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
ip route 2.2.2.0 255.255.255.0 192.168.12.2
!
access-list 3 permit 192.168.12.0 0.0.0.255
!
line vty 0 4
 access-class 3 in
!
end

hostname R2
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 ip access-group 2 in
!
interface Loopback0
 ip address 2.2.2.1 255.255.255.0
!
ip route 1.1.1.0 255.255.255.0 192.168.12.1
!
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 2 deny 192.168.12.0 0.0.0.255
access-list 2 permit any
!
end

That’s all for now. You have now learned how to configure standard access-lists and how to apply them to your interfaces or VTY line. I hope you learned something from this lesson, if you have any questions please leave a comment!