Ok, access-lists are easy.. heh, well for the most part.
There are a bunch of different types of access-lists, ie. standard, extended,
ipx, apple-talk, etc. however, the only two you'll use are going to be standard
and extended.
Ranges for standard: 0-99
Ranges for extended: 100-199
Now, let's go over the basics:
- Standard access-lists filter based on source addresses ONLY. They
cannot filter based on protocol.
- Extended access-lists filter based on source AND destination, and can also
filter based on protocol (ie: telnet/http/smtp/etc).
- Access-lists use WILDCARD masks in place of subnet masks. A wildcard mask
is exactly what it sounds like, if I am referring to a block of 128 addresses
the mask would be 0.0.0.128. If it was 2 class-c's it would be 0.0.1.255.
- Class A: 10.0.0.0 = 0.255.255.255
- Class B: 10.0.0.0 = 0.0.255.255
- Class C: 10.0.0.0 = 0.0.0.255
- 8 Addresses = 0.0.0.8
- 30 Addresses = 0.0.0.30
- 128 Addresses = 0.0.0.128
- 4 Class-C's = 0.0.3.255
- Ok, ENOUGH examples!! =)
Let's go over some examples, shall we?
-- Exercise #1 --
Email
From : [email][email protected][/email]
To : [email][email protected][/email]
Subject: Add this filter..
Hello,
I would like you to deny all inbound traffic to the following addresses:
192.168.0.20
192.168.0.21
192.168.0.22
192.168.0.23
Thanks,
[email][email protected][/email]
Alright! Our first access-list request! This is how we go about doing this.
1- Log onto customer's router and enter configuration mode by becoming enabled.
2- Determine if this is a standard of extended ACL (this is a standard since
it is destination only)
3- If there is already an access-list on the router that you're adding this to
you must completely re-do the access-list. If no access-list(s) exist,
create a new one.
- This is because routers take new additions to an access-list kinda
funky. The way you do this is do a "show run" and cut & paste the
full access-list to a notepad or something, make your modification,
and then re-add the whole list to the router.
4- Implement the change, and make sure it works..
- You must also bind this access-list to the interface this traffic
will be entering on.
- You can make sure it works by typing the command "sh ip access-list"
if you see "matches" then it's filtering, cool!
5- write the changes ("write memory" or just "wr")
Let's see this in action..! I will do this one step at a time as I stated
above.
1:
--
[skatter@icons (~)]$ telnet router
Trying 10.0.0.7...
Connected to router.
Escape character is '^]'.
::::::::::::: ::: :::::::::::: :: :: .. . .
: :.. .. .
: e0-sjc-gw.gaschamber.net ... .
: : : .. .
::::::::::::::::::::::: :: :::::: :::.. . : .. . .
User Access Verification
Username: lameuser
Password:
bear>en
Password:
bear#
2:
--
bear# sh run
Building configuration...
Current configuration:
!
! Last configuration change at 08:49:25 PST Thu Mar 2 2000 by skatter
! NVRAM config last updated at 16:06:50 PST Wed Mar 1 2000 by skatter
!
version 12.0
...
(output withdrawn)
...
!
access-list 25 permit 24.4.89.89
access-list 25 permit 24.9.250.199
access-list 25 permit 63.197.206.98
access-list 25 permit 24.8.164.207
access-list 25 permit 207.82.32.23
access-list 25 permit 209.128.78.181
access-list 25 permit 10.0.0.0 0.0.0.255
access-list 25 permit 209.220.56.0 0.0.0.255
access-list 25 permit 216.32.160.0 0.0.0.255
access-list 25 permit 205.166.195.0 0.0.0.255
access-list 25 permit 209.185.97.0 0.0.0.255
...
(output withdrawn)
...
Since I use access-list 25 to determine if someone can telnet in or not, we
won't use this, we'll use a new access-list, saaaay.. access-list 10.
3:
--
- Don't forget about the IMPLICIT deny in access-lists. This means that
if it isn't listed, it will be DENIED. This can cause you being locked
out of the router if you don't add a line to allow the rest of the world
in. You don't see it, but it is there and it is a security feature
implemented by Cisco.
- Implicit Deny = access-list 10 deny any
bear#conf t
Enter configuration commands, one per line. End with CNTL/Z.
bear(config)#access-list 10 deny 192.168.0.20 0.0.0.4
bear(config)#access-list 10 permit any
bear(config)#int e0
bear(config-if)#ip access-group 10 in
bear(config-if)#^Z
4:
--
Below you can see our new addition, often times you could cut & paste this
output or a portion of this output to a customer for their verification.
bear#sh ip access-lists
Standard IP access list 10
deny 192.168.0.16, wildcard bits 0.0.0.4
permit any
Standard IP access list 25
permit 24.4.89.89
permit 24.9.250.199
permit 63.197.206.98
permit 24.8.164.207
permit 207.82.32.23
permit 209.128.78.181
permit 10.0.0.0, wildcard bits 0.0.0.255
permit 209.220.56.0, wildcard bits 0.0.0.255
permit 216.32.160.0, wildcard bits 0.0.0.255
permit 205.166.195.0, wildcard bits 0.0.0.255
permit 209.185.97.0, wildcard bits 0.0.0.255
5:
--
bear# wr
[saving configuration]
OK
bear#
-- Exercise #2 --
Email
From : [email][email protected][/email]
To : [email][email protected][/email]
Subject: EMERGENCY, block hackers from entering!
Hello,
It has recently come to our attention that hackers from the block
209.220.56.0/24 have hacked our site, we need to block all inbound
connections from that network to ours, please implement the following
filters on our SomeCompany supported router!
Block 209.220.56.0/24 from entering our network (24.10.5.0/25)
Thanks,
[email][email protected][/email]
Easy enough! Let's go ahead and do this. First, we determine that this is
an extended access-list they would like added. We know both source and
destination, so this is pretty straight forward..
1:
--
- Log onto the router and find out if there is already an extended access-list
on this router to do the function they're asking.
bear# sh run
Building configuration...
Current configuration:
!
! Last configuration change at 08:49:25 PST Thu Mar 2 2000 by skatter
! NVRAM config last updated at 16:06:50 PST Wed Mar 1 2000 by skatter
!
version 12.0
...
(output withdrawn)
...
!
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
...
(output withdrawn)
...
2:
--
- Looks like they do! access-list 101 is already on the router so let's
just modify it so it looks like we want it to..
- Line we want to add:
access-list 101 deny ip 209.220.56.0 0.0.0.255 24.10.5.0 0.0.1.255
(The below can easily be done in notepad so you can just cut and paste it to
the router)
conf t
int e0
no ip access-group 101 in
exit
no access-list 101
access-list 101 deny ip 209.220.56.0 0.0.0.255 24.10.5.0 0.0.1.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
int e0
ip access-group 101 in
exit
exit
wr
- Like I said before, you must first completely blow the access-list off
the router, and usually before you do that you want to unbind it from the
inbound interface. Above is what I would type into notepad and then just
cut and paste the entire thing to the router. As you can see it goes
one command at a time, first I enter configuration mode, then I unbind
access-list 101 from Ethernet0. Next I remove access-list 101 and then
re-add the new access-list. I rebind it to the interface and write the
changes. It may seem a bit confusing at first, but keep at it, it's
a relatively easy concept to grasp.
3:
--
- Call the customer, or send them an email telling them their request
has been completed and voila, you're done!
-- Exercise #3 --
Ok, this is the last one, then you're on your own!
Deny all inbound SMTP traffic to the following IP addresses:
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
Let's say we're working on the same router we just added the filter on in
Exercise 2. So we already know we're going to use an Extended access-list
because it is filtering based on PROTOCOL (SMTP) and we all know that
standard access-lists can't filter based on protocol. So, we're going to
use access-list 101 again.
Let's go back on the router and look at the config to see what acl 101 looks
like..
...
(output withdrawn)
...
!
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
...
(output withdrawn)
...
In notepad let's cut & paste that and modify it so it reflects the new
addition..
- Line we're adding:
access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25
access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
When filtering based on protocol you must specify the type of protocol and
what port it listens to, in this case SMTP is a TCP protocol that listens on
port 25. Btw, SMTP stands for Simple Mail Transfer Protocol..
Now let's modify the data in notepad so we can just cut and paste this onto
the router and be done!
conf t
int e0
no ip access-group 101 in
exit
no access-list 101
access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
int e0
ip access-group 101 in
exit
exit
wr
Cut and paste it on the router and whammo! You're done.
-- Practice Questions --
- Write an access-list to deny all inbound connection to the following
network: 24.1.5.16 -> 24.1.5.31 (btw, this is 16 IP addresses).
- Write an access-list to permit all inbound connections from the following
network, but deny -everything- else.
- 209.220.56.16 -> 209.220.56.18
- Hint: hey, don't forget the implicit deny!
There are a bunch of different types of access-lists, ie. standard, extended,
ipx, apple-talk, etc. however, the only two you'll use are going to be standard
and extended.
Ranges for standard: 0-99
Ranges for extended: 100-199
Now, let's go over the basics:
- Standard access-lists filter based on source addresses ONLY. They
cannot filter based on protocol.
- Extended access-lists filter based on source AND destination, and can also
filter based on protocol (ie: telnet/http/smtp/etc).
- Access-lists use WILDCARD masks in place of subnet masks. A wildcard mask
is exactly what it sounds like, if I am referring to a block of 128 addresses
the mask would be 0.0.0.128. If it was 2 class-c's it would be 0.0.1.255.
- Class A: 10.0.0.0 = 0.255.255.255
- Class B: 10.0.0.0 = 0.0.255.255
- Class C: 10.0.0.0 = 0.0.0.255
- 8 Addresses = 0.0.0.8
- 30 Addresses = 0.0.0.30
- 128 Addresses = 0.0.0.128
- 4 Class-C's = 0.0.3.255
- Ok, ENOUGH examples!! =)
Let's go over some examples, shall we?
-- Exercise #1 --
From : [email][email protected][/email]
To : [email][email protected][/email]
Subject: Add this filter..
Hello,
I would like you to deny all inbound traffic to the following addresses:
192.168.0.20
192.168.0.21
192.168.0.22
192.168.0.23
Thanks,
[email][email protected][/email]
Alright! Our first access-list request! This is how we go about doing this.
1- Log onto customer's router and enter configuration mode by becoming enabled.
2- Determine if this is a standard of extended ACL (this is a standard since
it is destination only)
3- If there is already an access-list on the router that you're adding this to
you must completely re-do the access-list. If no access-list(s) exist,
create a new one.
- This is because routers take new additions to an access-list kinda
funky. The way you do this is do a "show run" and cut & paste the
full access-list to a notepad or something, make your modification,
and then re-add the whole list to the router.
4- Implement the change, and make sure it works..
- You must also bind this access-list to the interface this traffic
will be entering on.
- You can make sure it works by typing the command "sh ip access-list"
if you see "matches" then it's filtering, cool!
5- write the changes ("write memory" or just "wr")
Let's see this in action..! I will do this one step at a time as I stated
above.
1:
--
[skatter@icons (~)]$ telnet router
Trying 10.0.0.7...
Connected to router.
Escape character is '^]'.
::::::::::::: ::: :::::::::::: :: :: .. . .
: :.. .. .
: e0-sjc-gw.gaschamber.net ... .
: : : .. .
::::::::::::::::::::::: :: :::::: :::.. . : .. . .
User Access Verification
Username: lameuser
Password:
bear>en
Password:
bear#
2:
--
bear# sh run
Building configuration...
Current configuration:
!
! Last configuration change at 08:49:25 PST Thu Mar 2 2000 by skatter
! NVRAM config last updated at 16:06:50 PST Wed Mar 1 2000 by skatter
!
version 12.0
...
(output withdrawn)
...
!
access-list 25 permit 24.4.89.89
access-list 25 permit 24.9.250.199
access-list 25 permit 63.197.206.98
access-list 25 permit 24.8.164.207
access-list 25 permit 207.82.32.23
access-list 25 permit 209.128.78.181
access-list 25 permit 10.0.0.0 0.0.0.255
access-list 25 permit 209.220.56.0 0.0.0.255
access-list 25 permit 216.32.160.0 0.0.0.255
access-list 25 permit 205.166.195.0 0.0.0.255
access-list 25 permit 209.185.97.0 0.0.0.255
...
(output withdrawn)
...
Since I use access-list 25 to determine if someone can telnet in or not, we
won't use this, we'll use a new access-list, saaaay.. access-list 10.
3:
--
- Don't forget about the IMPLICIT deny in access-lists. This means that
if it isn't listed, it will be DENIED. This can cause you being locked
out of the router if you don't add a line to allow the rest of the world
in. You don't see it, but it is there and it is a security feature
implemented by Cisco.
- Implicit Deny = access-list 10 deny any
bear#conf t
Enter configuration commands, one per line. End with CNTL/Z.
bear(config)#access-list 10 deny 192.168.0.20 0.0.0.4
bear(config)#access-list 10 permit any
bear(config)#int e0
bear(config-if)#ip access-group 10 in
bear(config-if)#^Z
4:
--
Below you can see our new addition, often times you could cut & paste this
output or a portion of this output to a customer for their verification.
bear#sh ip access-lists
Standard IP access list 10
deny 192.168.0.16, wildcard bits 0.0.0.4
permit any
Standard IP access list 25
permit 24.4.89.89
permit 24.9.250.199
permit 63.197.206.98
permit 24.8.164.207
permit 207.82.32.23
permit 209.128.78.181
permit 10.0.0.0, wildcard bits 0.0.0.255
permit 209.220.56.0, wildcard bits 0.0.0.255
permit 216.32.160.0, wildcard bits 0.0.0.255
permit 205.166.195.0, wildcard bits 0.0.0.255
permit 209.185.97.0, wildcard bits 0.0.0.255
5:
--
bear# wr
[saving configuration]
OK
bear#
-- Exercise #2 --
From : [email][email protected][/email]
To : [email][email protected][/email]
Subject: EMERGENCY, block hackers from entering!
Hello,
It has recently come to our attention that hackers from the block
209.220.56.0/24 have hacked our site, we need to block all inbound
connections from that network to ours, please implement the following
filters on our SomeCompany supported router!
Block 209.220.56.0/24 from entering our network (24.10.5.0/25)
Thanks,
[email][email protected][/email]
Easy enough! Let's go ahead and do this. First, we determine that this is
an extended access-list they would like added. We know both source and
destination, so this is pretty straight forward..
1:
--
- Log onto the router and find out if there is already an extended access-list
on this router to do the function they're asking.
bear# sh run
Building configuration...
Current configuration:
!
! Last configuration change at 08:49:25 PST Thu Mar 2 2000 by skatter
! NVRAM config last updated at 16:06:50 PST Wed Mar 1 2000 by skatter
!
version 12.0
...
(output withdrawn)
...
!
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
...
(output withdrawn)
...
2:
--
- Looks like they do! access-list 101 is already on the router so let's
just modify it so it looks like we want it to..
- Line we want to add:
access-list 101 deny ip 209.220.56.0 0.0.0.255 24.10.5.0 0.0.1.255
(The below can easily be done in notepad so you can just cut and paste it to
the router)
conf t
int e0
no ip access-group 101 in
exit
no access-list 101
access-list 101 deny ip 209.220.56.0 0.0.0.255 24.10.5.0 0.0.1.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
int e0
ip access-group 101 in
exit
exit
wr
- Like I said before, you must first completely blow the access-list off
the router, and usually before you do that you want to unbind it from the
inbound interface. Above is what I would type into notepad and then just
cut and paste the entire thing to the router. As you can see it goes
one command at a time, first I enter configuration mode, then I unbind
access-list 101 from Ethernet0. Next I remove access-list 101 and then
re-add the new access-list. I rebind it to the interface and write the
changes. It may seem a bit confusing at first, but keep at it, it's
a relatively easy concept to grasp.
3:
--
- Call the customer, or send them an email telling them their request
has been completed and voila, you're done!
-- Exercise #3 --
Ok, this is the last one, then you're on your own!
Deny all inbound SMTP traffic to the following IP addresses:
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
Let's say we're working on the same router we just added the filter on in
Exercise 2. So we already know we're going to use an Extended access-list
because it is filtering based on PROTOCOL (SMTP) and we all know that
standard access-lists can't filter based on protocol. So, we're going to
use access-list 101 again.
Let's go back on the router and look at the config to see what acl 101 looks
like..
...
(output withdrawn)
...
!
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
...
(output withdrawn)
...
In notepad let's cut & paste that and modify it so it reflects the new
addition..
- Line we're adding:
access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25
access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
When filtering based on protocol you must specify the type of protocol and
what port it listens to, in this case SMTP is a TCP protocol that listens on
port 25. Btw, SMTP stands for Simple Mail Transfer Protocol..
Now let's modify the data in notepad so we can just cut and paste this onto
the router and be done!
conf t
int e0
no ip access-group 101 in
exit
no access-list 101
access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
int e0
ip access-group 101 in
exit
exit
wr
Cut and paste it on the router and whammo! You're done.
-- Practice Questions --
- Write an access-list to deny all inbound connection to the following
network: 24.1.5.16 -> 24.1.5.31 (btw, this is 16 IP addresses).
- Write an access-list to permit all inbound connections from the following
network, but deny -everything- else.
- 209.220.56.16 -> 209.220.56.18
- Hint: hey, don't forget the implicit deny!