Ok, access-lists are easy.. heh, well for the most part. There are a bunch of different types of access-lists, ie. standard, extended, ipx, apple-talk, etc. however, the only two you'll use are going to be standard and extended. Ranges for standard: 0-99 Ranges for extended: 100-199 Now, let's go over the basics: - Standard access-lists filter based on source addresses ONLY. They cannot filter based on protocol. - Extended access-lists filter based on source AND destination, and can also filter based on protocol (ie: telnet/http/smtp/etc). - Access-lists use WILDCARD masks in place of subnet masks. A wildcard mask is exactly what it sounds like, if I am referring to a block of 128 addresses the mask would be 0.0.0.128. If it was 2 class-c's it would be 0.0.1.255. - Class A: 10.0.0.0 = 0.255.255.255 - Class B: 10.0.0.0 = 0.0.255.255 - Class C: 10.0.0.0 = 0.0.0.255 - 8 Addresses = 0.0.0.8 - 30 Addresses = 0.0.0.30 - 128 Addresses = 0.0.0.128 - 4 Class-C's = 0.0.3.255 - Ok, ENOUGH examples!! =) Let's go over some examples, shall we? -- Exercise #1 -- Email From : Somelamecustomer@somelame.net To : support@somecompany.com Subject: Add this filter.. Hello, I would like you to deny all inbound traffic to the following addresses: 192.168.0.20 192.168.0.21 192.168.0.22 192.168.0.23 Thanks, Somelamecustomer@somelame.net Alright! Our first access-list request! This is how we go about doing this. 1- Log onto customer's router and enter configuration mode by becoming enabled. 2- Determine if this is a standard of extended ACL (this is a standard since it is destination only) 3- If there is already an access-list on the router that you're adding this to you must completely re-do the access-list. If no access-list(s) exist, create a new one. - This is because routers take new additions to an access-list kinda funky. The way you do this is do a "show run" and cut & paste the full access-list to a notepad or something, make your modification, and then re-add the whole list to the router. 4- Implement the change, and make sure it works.. - You must also bind this access-list to the interface this traffic will be entering on. - You can make sure it works by typing the command "sh ip access-list" if you see "matches" then it's filtering, cool! 5- write the changes ("write memory" or just "wr") Let's see this in action..! I will do this one step at a time as I stated above. 1: -- [skatter@icons (~)]$ telnet router Trying 10.0.0.7... Connected to router. Escape character is '^]'. ::::::::::::: ::: :::::::::::: :: :: .. . . : :.. .. . : e0-sjc-gw.gaschamber.net ... . : : : .. . ::::::::::::::::::::::: :: :::::: :::.. . : .. . . User Access Verification Username: lameuser Password: bear>en Password: bear# 2: -- bear# sh run Building configuration... Current configuration: ! ! Last configuration change at 08:49:25 PST Thu Mar 2 2000 by skatter ! NVRAM config last updated at 16:06:50 PST Wed Mar 1 2000 by skatter ! version 12.0 ... (output withdrawn) ... ! access-list 25 permit 24.4.89.89 access-list 25 permit 24.9.250.199 access-list 25 permit 63.197.206.98 access-list 25 permit 24.8.164.207 access-list 25 permit 207.82.32.23 access-list 25 permit 209.128.78.181 access-list 25 permit 10.0.0.0 0.0.0.255 access-list 25 permit 209.220.56.0 0.0.0.255 access-list 25 permit 216.32.160.0 0.0.0.255 access-list 25 permit 205.166.195.0 0.0.0.255 access-list 25 permit 209.185.97.0 0.0.0.255 ... (output withdrawn) ... Since I use access-list 25 to determine if someone can telnet in or not, we won't use this, we'll use a new access-list, saaaay.. access-list 10. 3: -- - Don't forget about the IMPLICIT deny in access-lists. This means that if it isn't listed, it will be DENIED. This can cause you being locked out of the router if you don't add a line to allow the rest of the world in. You don't see it, but it is there and it is a security feature implemented by Cisco. - Implicit Deny = access-list 10 deny any bear#conf t Enter configuration commands, one per line. End with CNTL/Z. bear(config)#access-list 10 deny 192.168.0.20 0.0.0.4 bear(config)#access-list 10 permit any bear(config)#int e0 bear(config-if)#ip access-group 10 in bear(config-if)#^Z 4: -- Below you can see our new addition, often times you could cut & paste this output or a portion of this output to a customer for their verification. bear#sh ip access-lists Standard IP access list 10 deny 192.168.0.16, wildcard bits 0.0.0.4 permit any Standard IP access list 25 permit 24.4.89.89 permit 24.9.250.199 permit 63.197.206.98 permit 24.8.164.207 permit 207.82.32.23 permit 209.128.78.181 permit 10.0.0.0, wildcard bits 0.0.0.255 permit 209.220.56.0, wildcard bits 0.0.0.255 permit 216.32.160.0, wildcard bits 0.0.0.255 permit 205.166.195.0, wildcard bits 0.0.0.255 permit 209.185.97.0, wildcard bits 0.0.0.255 5: -- bear# wr [saving configuration] OK bear# -- Exercise #2 -- Email From : Somelamecustomer@somelame.net To : support@somecompany.com Subject: EMERGENCY, block hackers from entering! Hello, It has recently come to our attention that hackers from the block 209.220.56.0/24 have hacked our site, we need to block all inbound connections from that network to ours, please implement the following filters on our SomeCompany supported router! Block 209.220.56.0/24 from entering our network (24.10.5.0/25) Thanks, Somelamecustomer@somelame.net Easy enough! Let's go ahead and do this. First, we determine that this is an extended access-list they would like added. We know both source and destination, so this is pretty straight forward.. 1: -- - Log onto the router and find out if there is already an extended access-list on this router to do the function they're asking. bear# sh run Building configuration... Current configuration: ! ! Last configuration change at 08:49:25 PST Thu Mar 2 2000 by skatter ! NVRAM config last updated at 16:06:50 PST Wed Mar 1 2000 by skatter ! version 12.0 ... (output withdrawn) ... ! access-list 101 deny ip 10.0.0.0 0.0.0.255 any access-list 101 permit ip any any ... (output withdrawn) ... 2: -- - Looks like they do! access-list 101 is already on the router so let's just modify it so it looks like we want it to.. - Line we want to add: access-list 101 deny ip 209.220.56.0 0.0.0.255 24.10.5.0 0.0.1.255 (The below can easily be done in notepad so you can just cut and paste it to the router) conf t int e0 no ip access-group 101 in exit no access-list 101 access-list 101 deny ip 209.220.56.0 0.0.0.255 24.10.5.0 0.0.1.255 access-list 101 deny ip 10.0.0.0 0.0.0.255 any access-list 101 permit ip any any int e0 ip access-group 101 in exit exit wr - Like I said before, you must first completely blow the access-list off the router, and usually before you do that you want to unbind it from the inbound interface. Above is what I would type into notepad and then just cut and paste the entire thing to the router. As you can see it goes one command at a time, first I enter configuration mode, then I unbind access-list 101 from Ethernet0. Next I remove access-list 101 and then re-add the new access-list. I rebind it to the interface and write the changes. It may seem a bit confusing at first, but keep at it, it's a relatively easy concept to grasp. 3: -- - Call the customer, or send them an email telling them their request has been completed and voila, you're done! -- Exercise #3 -- Ok, this is the last one, then you're on your own! Deny all inbound SMTP traffic to the following IP addresses: 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 Let's say we're working on the same router we just added the filter on in Exercise 2. So we already know we're going to use an Extended access-list because it is filtering based on PROTOCOL (SMTP) and we all know that standard access-lists can't filter based on protocol. So, we're going to use access-list 101 again. Let's go back on the router and look at the config to see what acl 101 looks like.. ... (output withdrawn) ... ! access-list 101 deny ip 209.220.56.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.0.0.255 any access-list 101 permit ip any any ... (output withdrawn) ... In notepad let's cut & paste that and modify it so it reflects the new addition.. - Line we're adding: access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25 access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25 access-list 101 deny ip 209.220.56.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.0.0.255 any access-list 101 permit ip any any When filtering based on protocol you must specify the type of protocol and what port it listens to, in this case SMTP is a TCP protocol that listens on port 25. Btw, SMTP stands for Simple Mail Transfer Protocol.. Now let's modify the data in notepad so we can just cut and paste this onto the router and be done! conf t int e0 no ip access-group 101 in exit no access-list 101 access-list 101 deny tcp 10.0.0.1 0.0.0.5 any eq 25 access-list 101 deny ip 209.220.56.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.0.0.255 any access-list 101 permit ip any any int e0 ip access-group 101 in exit exit wr Cut and paste it on the router and whammo! You're done. -- Practice Questions -- - Write an access-list to deny all inbound connection to the following network: 24.1.5.16 -> 24.1.5.31 (btw, this is 16 IP addresses). - Write an access-list to permit all inbound connections from the following network, but deny -everything- else. - 209.220.56.16 -> 209.220.56.18 - Hint: hey, don't forget the implicit deny! ----------------------------------------------------------------------------- This file was written by: Eric Cables This file was last modified on: 03/03/2000