Access-list HOWTO

Ok, access-lists are easy.. heh, well for the most part.

There are a bunch of different types of access-lists, ie. standard, extended,
ipx, apple-talk, etc. however, the only two you'll use are going to be standard
and extended.

Ranges for standard: 0-99
Ranges for extended: 100-199

Now, let's go over the basics:  

 - Standard access-lists filter based on source addresses ONLY.  They
   cannot filter based on protocol.

 - Extended access-lists filter based on source AND destination, and can also
   filter based on protocol (ie: telnet/http/smtp/etc).

 - Access-lists use WILDCARD masks in place of subnet masks.  A wildcard mask
   is exactly what it sounds like, if I am referring to a block of 128 addresses
   the mask would be 0.0.0.128.  If it was 2 class-c's it would be 0.0.1.255.
    - Class A: 10.0.0.0 = 0.255.255.255
    - Class B: 10.0.0.0 = 0.0.255.255
    - Class C: 10.0.0.0 = 0.0.0.255
    - 8 Addresses       = 0.0.0.8
    - 30 Addresses      = 0.0.0.30
    - 128 Addresses        = 0.0.0.128
    - 4 Class-C's       = 0.0.3.255
    - Ok, ENOUGH examples!! =)


Let's go over some examples, shall we?


-- Exercise #1 --

Email
From   : [email protected]
To     : [email protected]
Subject: Add this filter..

Hello,

I would like you to deny all inbound traffic to the following addresses:

192.168.0.20
192.168.0.21
192.168.0.22
192.168.0.23

Thanks,

[email protected]


Alright!  Our first access-list request!  This is how we go about doing this.

1- Log onto customer's router and enter configuration mode by becoming enabled.
2- Determine if this is a standard of extended ACL (this is a standard since
   it is destination only)
3- If there is already an access-list on the router that you're adding this to
   you must completely re-do the access-list.  If no access-list(s) exist,
   create a new one.
    - This is because routers take new additions to an access-list kinda
      funky.  The way you do this is do a "show run" and cut & paste the
      full access-list to a notepad or something, make your modification,
      and then re-add the whole list to the router.
4- Implement the change, and make sure it works..
    - You must also bind this access-list to the interface this traffic
      will be entering on.
    - You can make sure it works by typing the command "sh ip access-list"
       if you see "matches" then it's filtering, cool!
5- write the changes ("write memory" or just "wr")

Let's see this in action..!  I will do this one step at a time as I stated
above.

1:
--

[skatter@icons (~)]$ telnet router
Trying 10.0.0.7...
Connected to router.
Escape character is '^]'.

:::::::::::::   ::: ::::::::::::  :: ::       .. .  .  
:                                     :..  .. .
: e0-sjc-gw.gaschamber.net             ... .
:                                     :    : ..  .
:::::::::::::::::::::::   :: :::::: :::..  .     : .. .  .


User Access Verification

Username: lameuser
Password:
bear>en
Password:
bear#


2:
--

bear# sh run
Building configuration...

Current configuration:
!
! Last configuration change at 08:49:25 PST Thu Mar 2 2000 by skatter
! NVRAM config last updated at 16:06:50 PST Wed Mar 1 2000 by skatter
!
version 12.0
...
(output withdrawn)
...
!
access-list 25 permit 24.4.89.89
access-list 25 permit 24.9.250.199
access-list 25 permit 63.197.206.98
access-list 25 permit 24.8.164.207
access-list 25 permit 207.82.32.23
access-list 25 permit 209.128.78.181
access-list 25 permit 10.0.0.0 0.0.0.255
access-list 25 permit 209.220.56.0 0.0.0.255
access-list 25 permit 216.32.160.0 0.0.0.255
access-list 25 permit 205.166.195.0 0.0.0.255
access-list 25 permit 209.185.97.0 0.0.0.255
...
(output withdrawn)
...


Since I use access-list 25 to determine if someone can telnet in or not, we
won't use this, we'll use a new access-list, saaaay.. access-list 10.


3:
--

 - Don't forget about the IMPLICIT deny in access-lists.  This means that
   if it isn't listed, it will be DENIED.  This can cause you being locked
   out of the router if you don't add a line to allow the rest of the world
   in.  You don't see it, but it is there and it is a security feature
   implemented by Cisco.

 - Implicit Deny = access-list 10 deny any

bear#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
bear(config)#access-list 10 deny 192.168.0.20 0.0.0.4
bear(config)#access-list 10 permit any
bear(config)#int e0
bear(config-if)#ip access-group 10 in
bear(config-if)#^Z


4:
--

Below you can see our new addition, often times you could cut & paste this
output or a portion of this output to a customer for their verification.

bear#sh ip access-lists
Standard IP access list 10
    deny   192.168.0.16, wildcard bits 0.0.0.4
    permit any
Standard IP access list 25
    permit 24.4.89.89
    permit 24.9.250.199
    permit 63.197.206.98
    permit 24.8.164.207
    permit 207.82.32.23
    permit 209.128.78.181
    permit 10.0.0.0, wildcard bits 0.0.0.255
    permit 209.220.56.0, wildcard bits 0.0.0.255
    permit 216.32.160.0, wildcard bits 0.0.0.255
    permit 205.166.195.0, wildcard bits 0.0.0.255
    permit 209.185.97.0, wildcard bits 0.0.0.255


5:
--

bear# wr
[saving configuration]
OK
bear#



-- Exercise #2 --

Email
From   : [email protected]
To     : [email protected]
Subject: EMERGENCY, block hackers from entering!

Hello,

It has recently come to our attention that hackers from the block
209.220.56.0/24 have hacked our site, we need to block all inbound
connections from that network to ours, please implement the following
filters on our SomeCompany supported router!

Block 209.220.56.0/24 from entering our network (24.10.5.0/25)

Thanks,

[email protected]



Easy enough!  Let's go ahead and do this.  First, we determine that this is
an extended access-list they would like added.  We know both source and
destination, so this is pretty straight forward..


1:
--

 - Log onto the router and find out if there is already an extended access-list
   on this router to do the function they're asking.

bear# sh run
Building configuration...

Current configuration:
!
! Last configuration change at 08:49:25 PST Thu Mar 2 2000 by skatter
! NVRAM config last updated at 16:06:50 PST Wed Mar 1 2000 by skatter
!
version 12.0
...
(output withdrawn)
...
!
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
...
(output withdrawn)
...


2:
--

 - Looks like they do!  access-list 101 is already on the router so let's
   just modify it so it looks like we want it to..

    - Line we want to add:
    access-list 101 deny ip 209.220.56.0 0.0.0.255 24.10.5.0 0.0.1.255

(The below can easily be done in notepad so you can just cut and paste it to
 the router)

conf t
int e0
no ip access-group 101 in
exit
no access-list 101
access-list 101 deny ip 209.220.56.0 0.0.0.255 24.10.5.0 0.0.1.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
int e0
ip access-group 101 in
exit
exit
wr

 - Like I said before, you must first completely blow the access-list off
   the router, and usually before you do that you want to unbind it from the
   inbound interface.  Above is what I would type into notepad and then just
   cut and paste the entire thing to the router.  As you can see it goes
   one command at a time, first I enter configuration mode, then I unbind
   access-list 101 from Ethernet0.  Next I remove access-list 101 and then
   re-add the new access-list.  I rebind it to the interface and write the
   changes.  It may seem a bit confusing at first, but keep at it, it's
   a relatively easy concept to grasp.


3:
--

 - Call the customer, or send them an email telling them their request
   has been completed and voila, you're done!



-- Exercise #3 --

Ok, this is the last one, then you're on your own!

Deny all inbound SMTP traffic to the following IP addresses:

10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5


Let's say we're working on the same router we just added the filter on in
Exercise 2.  So we already know we're going to use an Extended access-list
because it is filtering based on PROTOCOL (SMTP) and we all know that
standard access-lists can't filter based on protocol.  So, we're going to
use access-list 101 again.

Let's go back on the router and look at the config to see what acl 101 looks
like..

 
...
(output withdrawn)
...
!
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
...
(output withdrawn)
...


In notepad let's cut & paste that and modify it so it reflects the new
addition..

 - Line we're adding:
 access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25

access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any

When filtering based on protocol you must specify the type of protocol and
what port it listens to, in this case SMTP is a TCP protocol that listens on
port 25.  Btw, SMTP stands for Simple Mail Transfer Protocol..

Now let's modify the data in notepad so we can just cut and paste this onto
the router and be done!

conf t
int e0
no ip access-group 101 in
exit
no access-list 101
access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25
access-list 101 deny ip 209.220.56.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip any any
int e0
ip access-group 101 in
exit
exit
wr

Cut and paste it on the router and whammo!  You're done.



-- Practice Questions --


 - Write an access-list to deny all inbound connection to the following
   network: 24.1.5.16 -> 24.1.5.31 (btw, this is 16 IP addresses).

 - Write an access-list to permit all inbound connections from the following
   network, but deny -everything- else.
    - 209.220.56.16 -> 209.220.56.18
    - Hint: hey, don't forget the implicit deny!

你可能感兴趣的:(职场,Access,休闲)