Saturday, 7 April 2007

Cisco Access-lists

Access list in a Cisco is a way of bunching together IP and Ports into a Do and Do Not list and Where To Go and Not Go.

Note all of the commands used in this example are for 12.4 IOS
Let’s being with the most basic of access lists IP access lists these run between the numbers of 1 and 99 most common in permit and deny to router for telnet, NAT (Network Address Translation) commands and Route Maps.

First we’ll show an example with putting an access list on the router to allow telnet to it only from permitted locations in this case the local LAN (Local Area Network) and Remote Admin Office.

Create the access list.

access-list 2 remark The local LAN.
access-list 2 permit 172.16.1.0 0.0.0.255

access-list 2 remark Remote Admin Office.
access-list 2 permit 195.184.235.17


Now tell it to use the access list for remote connections

line vty 0 4
access-class 2 in

Now only people on the LAN and at the remote IP can access the router, now let’s look at building access list for traffic from the internet to the router for this we want to control the network using Ports TCP/UDP and ICMP you do this by using 100 to 199 and/or 2000 to 2699 numbered access lists, your interface may change depending on how you’re connected as an example if you’re using an ATM (Asynchronous Transfer Mode)terminated on RJ11 there are other kinds of termination but for this example I’m going to use a PPPoA (Point-to-Point Protocol over ATM) because that’s what we use here in England for ADSL (Asymmetric Digital Subscriber Line)

access-list 101 remark permit domain lookups
access-list 101 permit udp any eq domain any

access-list 101 remark permit web browsing lookups
access-list 101 permit tcp any eq 80 any

access-list 101 remark permit SSH
access-list 101 permit tcp any any eq 22

access-list 101 remark permit telnet
access-list 101 permit tcp any any eq telnet

access-list 101 remark deny ping to your router but not from it
access-list 101 deny icmp any any echo

access-list 101 remark deny all other traffic and log it
access-list 101 deny ip any any log

Now you have to set the interface this applies to in this case dialer0

interface dialer0
ip access-group 101 in

Now you have a list you might need to debug it from time to time

If you’re watching the console you can see traffic by using the Terminal monitor command from your deny log you can see things like this

01:05:28: %SEC-6-IPACCESSLOGP: list 101 denied tcp 24.118.18.108(37845) -> 195.184.85.134(62227), 1 packet

To help you debug this i’ll translate for you.
The message reads Time then it say IP log then the number of the access list in this case 101 then the status of the data denied the protocol in this case TCP the IP it came from then port number, then destination ie your router and the port number it was going to on your router.

So this reads access-list 101 stopped TCP from 24.118.18.108 on port 37845 to 195.184.85.134 on port 62227

In the extend IP access list 100-199 2000-2699 you can use ports, host and IP ranges and times in the standard IP 1-99 group you can only use Host, IP ranges.

For those of you reading closely you’ll have noticed I said time ranges without having given you an example well that because we’ve not got that far yet, I strongly recommend if you’re not 100% sure what traffic your looking to allow and block that you read up on the 7 Layer ISO right now.

Ok now that I’ve mentioned time lists I might as well continue, yes not only can you block ports and ranges you can make exceptions based on times of day or even day of the week make sure your router time is setup right or is using you network as the server or you may have some interesting cut off times.

time-range no-http
periodic weekdays 8:00 to 18:00

time-range udp-yes
periodic weekend 12:00 to 20:00

ip access-list 102 deny tcp any any eq 80 time-range no-http
ip access-list 102 permit udp any any time-range udp-yes

interface ethernet0
ip access-group 102 in

Now you begin to see how you can use even times of day to permit traffic or access, you might deny FTP and Telnet sessions after work hours so you know someone is not trying to access your network while you’re at home.

And there is something else you can to with access lists you can name them to make them more friendly, this use full if you don’t like numbers much so here are some more examples


Example one

ip access-list standard prevention
deny 171.69.0.0 0.0.255.255

interface ethernet0/1
ip access-group prevention in


Example two

time-range no-http
periodic weekdays 8:00 to 18:00

time-range udp-yes
periodic weekend 12:00 to 20:00

ip access-list extended strict
deny tcp any any eq http time-range no-http
permit udp any any time-range udp-yes

interface ethernet0
ip access-group strict in

this covers most of the basic access lists now there is one last thing to think of we have been looking at traffic entering an interface but you can also control the traffic leaving the interface as well in fact you can do both at the same time

ip access-list extended internet
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit tcp any any eq 1723
permit gre any any
permit tcp any any eq 22
permit tcp any any eq telnet
deny icmp any any echo
deny ip any any log

ip access-list extended lan-network
permit tcp any any eq 80
permit udp any any eq 53
deny ip any any log

interface dialer0
ip access-group internet in
ip access-group lan-network out

This ends this brings an end to our talk about access lists today I will hope to write more on access lists in the coming month.

If you have question on this feel free to drop me a line, I’m also open to suggestions on how to make this more user friendly to understand.

No comments: