© 1999, Cisco Systems, Inc. B-1 Appendix B Configuring Standard and Extended Access Lists

© 1999, Cisco Systems, Inc. MCNS v2.0B-2 © 1999, Cisco Systems, Inc. B-2 Configuring IP Standard Access Lists

© 1999, Cisco Systems, Inc. MCNS v2.0B-3 Use source address only Access list range: 1 to Destination AddressSource Address X X IP Standard Access Lists Overview

© 1999, Cisco Systems, Inc. MCNS v2.0B-4 For Standard IP Access Lists Incoming packet Access list on interface? More entries? Apply condition DenyPermit Yes No Yes No ICMP MessageForward Packet Yes No Next entry in list Route to interface Does source address match? Inbound Access List Processing

© 1999, Cisco Systems, Inc. MCNS v2.0B-5 For Standard IP Access Lists Outbound Access List Processing Route to interface Access list? More entries? Apply condition DenyPermit Yes No Yes No ICMP MessageForward Packet Yes No Next entry in list Does source address match? Incoming packet

© 1999, Cisco Systems, Inc. MCNS v2.0B-6 Class B subnets Class C subnets High-Order BitsFirst OctetClassStandard Mask ABCABC IP Addressing Review

© 1999, Cisco Systems, Inc. MCNS v2.0B-7 exactly host AddressMaskMatches any address / network host or subnet address local broadcast / * Assuming subnet mask of bit = must match bits in addresses 1 bit = no need to match bits in addresses only subnet * Access Lists Use Wildcard Mask

© 1999, Cisco Systems, Inc. MCNS v2.0B-8 To create an access list, perform the following tasks: 1. Define an access list 2. Apply the list to an interface Access List Configuration Tasks

© 1999, Cisco Systems, Inc. MCNS v2.0B-9 Defines a standard access list (numbered 1-99) Applies an access list to a specific interface Router(config)# access-list access-list-number { permit | deny } { source [ source-wildcard ] | any } Router(config-if)# ip access-group access-list-number { in | out } Standard Access List Commands

© 1999, Cisco Systems, Inc. MCNS v2.0B-10 correct common errors access-list 1permit ! access-list 1permit access-list 1permit access-list 1denyany access-list 1deny For Standard IP Access Lists not needed Omitted mask assumed to be Last two lines unnecessary (implicit deny any) Implicit Masks

© 1999, Cisco Systems, Inc. MCNS v2.0B-11 Top-down processing –Place more specific references first Implicit deny any –Unless access list ends with explicit permit any New lines added to the end –Cannot selectively add/remove lines Undefined access list = permit any –Need to create access list lines for implicit deny any Configuration Principles

© 1999, Cisco Systems, Inc. MCNS v2.0B-12 E Internet A BC D Who can connect to A? Router(config)# access-list 2 permit Router(config)# access-list 2 deny Router(config)# access-list 2 permit Router(config)# !(Note: all other access implicitly denied) Router(config)# interface ethernet 0 Router(config-if)# ip access-group 2 in Standard Access List Example

© 1999, Cisco Systems, Inc. MCNS v2.0B-13 access-list 3 deny access-list 3 permit any B A E0 E1 CD W A XYZ BCD On which router should the access list be configured to deny host Z access to network ? How does location of a standard access list change the policy implemented? Location of Standard Access Lists

© 1999, Cisco Systems, Inc. MCNS v2.0B-14 © 1999, Cisco Systems, Inc. B-14 Configuring Extended Access Lists

© 1999, Cisco Systems, Inc. MCNS v2.0B-15 FTP Manufacturing Accounting SMTP Telnet Internet Control traffic by application, not just address IP Extended Access List Overview Sales

© 1999, Cisco Systems, Inc. MCNS v2.0B-16 Match * If present in access list Forward PacketICMP Message Next entry in list Apply condition Deny Permit Yes No Destination address Protocol? * Protocol options? * Source address Match Does not match Extended Access List Processing Access list?

© 1999, Cisco Systems, Inc. MCNS v2.0B-17 { source source-wildcard | any } Router(config)# access-list access-list-number { permit | deny } { destination destination-wildcard | any } [ protocol-specific options ] [ log ] Defines an extended access list (numbered 100 to 199) Protocol keywords icmp, tcp, and udp define alternate syntax with protocol-specific options { protocol | protocol-keyword } Extended IP Access List Command

© 1999, Cisco Systems, Inc. MCNS v2.0B-18 The keyword any can be used in place of the address with mask The keyword host preceding an ip-address can be used in place of the mask access-list 101 permit ip ! (alternate configuration) access-list 101 permit ip any any access-list 101 permit ip ! (alternate configuration) access-list 101 permit ip any host Extended Mask Keywords

© 1999, Cisco Systems, Inc. MCNS v2.0B-19 Filters based on ICMP messages Router(config)# access-list access-list-number { permit | deny } icmp { source source-wildcard | any } { destination destination-wildcard | any } [ icmp-type [ icmp-code ] | icmp-message ] ICMP Command Syntax

© 1999, Cisco Systems, Inc. MCNS v2.0B-20 administratively-prohibited information replyport unreachable alternate-addressmask-replyreassembly-timeout conversion-errormask-requestredirect dod-host-prohibitedmobile-redirectrouter-advertisement dod-net-prohibitednet-redirectrouter-solicitation echonet-tos-redirectsource-quench echo-replynet-tos-unreachablesource-route-failed general-parameter-problemnet-unreachabletime-exceeded host-isolatednetwork-unknowntraceroute host-tos-redirectno-room-for-optionttl-exceeded host-tos-unreachableoption-missingunreachable host-unknownpacket-too-big host-unreachableparameter-problem Names simplify configuration ICMP Message and Type Names

© 1999, Cisco Systems, Inc. MCNS v2.0B-21 Filters based on tcp/tcp port number or name Router(config)# access-list access-list-number { permit | deny } tcp { source source-wildcard | any } [ operator source-port | source-port ] { destination destination-wildcard | any } [ operator destination-port | destination-port ] [ established ] TCP Syntax

© 1999, Cisco Systems, Inc. MCNS v2.0B-22 bgpgophersunrpc chargenhostnamesyslog daytimeirctacacs-ds discardklogintalk domainkshelltelnet echolpdtime fingernntpuucp ftp controlpop2whois ftp-datapop3www Type ? to get port numbers corresponding to names Other port numbers found in Assigned Numbers RFC 1700 TCP Port Names

© 1999, Cisco Systems, Inc. MCNS v2.0B-23 Filters based on UDP protocol or UDP port number or name Router(config)# access-list access-list-number { permit | deny } udp { source source-wildcard | any } [ operator source-port | source-port ] { destination destination-wildcard | any } [ operator destination-port | destination-port ] UDP Syntax

© 1999, Cisco Systems, Inc. MCNS v2.0B-24 biffnameserversyslog bootpcnetbios-dgmtacasds-ds bootpsnetbios-nstalk discardntptftp dnsriptime dnsixsnmpwhois echosnmptrapxdmcp mobile-ipsunrpc Type ? to get port numbers corresponding to the name Other port numbers found in Assigned Numbers RFC UDP Port Names

© 1999, Cisco Systems, Inc. MCNS v2.0B-25 access-list 103 permittcpany established access-list 103 permit tcp anyhost eq smtp ! interface ethernet 1 ip access-group 103 in Providing Internet Mail E A Internet Extended Access List Example 1

© 1999, Cisco Systems, Inc. MCNS v2.0B-26 E1E S Also Providing DNS and Ping Internet A B access-list 104 permit tcp any established access-list 104 permit tcp any host eq smtp access-list 104 permit udp any eq domain any access-list 104 permit icmp any any echo access-list 104 permit icmp any any echo-reply ! interface serial 0 ip access-group 104 in Extended Access List Example 2

© 1999, Cisco Systems, Inc. MCNS v2.0B-27 Minimize distance traveled by traffic that will be denied (and ICMP unreachable messages) Keep denied traffic off the backbone Select router to receive CPU overhead from access lists Consider number of interfaces affected Consider access list management and security Consider network growth impacts on access list maintenance Consider number of interfaces affected Location of Extended Access Lists

© 1999, Cisco Systems, Inc. MCNS v2.0B-28 © 1999, Cisco Systems, Inc. B-28 Verifying Access List Configuration

© 1999, Cisco Systems, Inc. MCNS v2.0B-29 Displays access lists from all protocols Displays a specific IP access list Clears packet counts Displays line configuration Router# show ip access-list [ access-list-number ] Router# show access-list Router# show line Router# clear access-list counters [ access-list-number ] Access List show Commands

© 1999, Cisco Systems, Inc. MCNS v2.0B-30 Matches are shown for extended access lists p1r1#show access-lists Extended IP access list 100 deny tcp host host eq telnet (3 matches) deny tcp host host eq telnet permit ip any any (629 matches) show ip access-list Command