Selasa, 03 Maret 2009

Access Control Lists (ACL)

Access lists are used to classify IP packets, the classification applied to these packets can then be used in a number of features:-

  • Security (Access Control)
  • Encryption
  • Policy Based Routing
  • Quality of Service (QoS), Queues
  • Network Access Translation (NAT)
  • Port Access Translation (PAT)
  • Dial on Demand Routing (Interesting Dial Traffic)

Access lists can be applied on Cisco IOS Routers and Switches, they are generally applied to interfaces or access ports in specific directions (e.g. incoming or outgoing).

Types of Access List

There are two types of Access List:

  • Standard ? Can only be used to look at the source IP of a packet.
  • Extended ? Can be used to look at source IP, destination IP, IP protocol, source TCP/UDP port and destination TCP/UDP port.

These two types of Access List are identified by the first argument of the ACL statement, an ID which is used to identify the list. This argument could fall within one of the following:

  • 1 ? 99 or 1300 ? 1999 Standard Access List
  • 100 ? 199 or 2000 ? 2699 Extended Access List
  • Name Named Access List

Specifying an Access List from 1 to 99 or 1300 to 1300 instructs the router that it is a Standard access list, or from 100 to 199 or 2000 to 2699 that it is an Extended Access List. Named Access Lists allow you to give an Access List an alphanumeric, more east to remember identification. Named Access lists also allow you to delete specific Access Lists lines.

Access List Components

The general components of an access list configuration are:

  • Access List Identification (used to identify list, you could have multiple lists)
  • Direction (e.g. in or out of router)
  • IP Address Pattern to Match (e.g. Source, Destination)
  • Action (e.g. Permit or Deny)

The structure of access lists is as follows:

Standard Access List -

access-list

Extended Access List -

access-list [Source Port] [Destination Port][

interface e1

ip access-group 1 in

access-list 1 permit 172.16.1.1 0.0.0.0

The configuration lines above demonstrate how a Standard Access List (you can tell it is a standard access list because it has an access list number identifier of 1). This access list has been applied to the e1 interface in the in direction. The access list is looking for packets matching a source IP address of 172.16.1.1, and permitting the packet to pass; all other packets which do not match this pattern will be discarded.

It is important to note that at the bottom of every access list there is an implicit ?deny all? which is not shown in the configuration. For this reason you should always have at least one permit statement in every Access List (unless you really do want to stop all traffic passing through an interface).

Access lists do not filter traffic that originates from the same router. You can only specify one ACL per protocol, per direction, per interface.

Access List Masks

Wildcard Masks are used to define how much of an IP Address is used in a match, all of it, or part of it? When performing an address filter, the mask identifies how much of an IP Address to check and ignore.

The mask works in a similar way to Subnet Masks, however they are the opposite way round, for this reason they are sometime known as ?inverted masks?. Take the following extended access list:

interface e1

ip access-group 1 out

access-list 101 deny ip 192.168.1.10 0.0.0.255 0.0.0.0 0.0.0.0


This extended access list (note extended because it has a identifier of 101), it is denying ALL traffic out of the e1 interface. The reason why it is blocking all addresses in the 192.168.1.X range is because of the Mask which follows it in the statement above (0.0.0.255). This mask is basically saying ?Match all 0?s and ignore 255?s), 255 it is kind of like the wildcard * or % used in file or database searches.

If we go into more detail around Access Lists masks we need to convert them, like subnet masks, into binary (0 means check value of corresponding bit in IP Address and 1 means ignore value of corresponding bit in IP Address):

Binary

Decimal

Action

00000000

0

Check All Address Bits (Match All)

00111111

63

Ignore Last 6 Address Bits

00001111

15

Ignore Last 4 Address Bits

11111100

252

Check Last 2 Address Bits

11111111

255

Do Not Check Address(Ignore All Bits)

In the following example Access List line permits traffic from a single host to anywhere:

access-list 102 permit ip 192.168.1.2 0.0.0.0 0.0.0.0 0.0.0.0

However the Access Lists Statement above could also be written in a shorter way:

access-list 102 permit ip host 192.168.1.2 any

The ?host? keyword is a short way of specifying a single host IP Address.
The ?any? keyword specifies any IP Address.

host 192.168.1.2 = 192.168.1.2 0.0.0.0

any = 0.0.0.0 0.0.0.0

Using Port Numbers in Access Lists

When using extended access lists, as well as IP Addresses, you can also match for TCP or UDP Port numbers. An example use for this may be of use when you want to specifically block Telnet access to everyone except a single IP Address.

access-list 102 permit tcp host 192.168.1.3 192.168.2.100 0.0.0.0 eq 23

The ?eq 23? at the end of the Access List line above specifies that only a single host, 192.168.1.3, is allowed to Telnet to 192.168.2.100. This Access List should be applied to the router interface nearest the 192.168.2.100 host and it should be applied in the outwards direction.

Here is a list of commonly known port TCP numbers:

Port Number

Service

20

FTP Data

21

FTP Control

22

SSH

23

Telnet

25

SMTP Email

80

HTTP Web

110

POP3 Email

If you can not remember these port numbers Cisco routers also allow you to enter the name of the service in place of the port number:

access-list 102 deny tcp host 192.168.1.4 192.168.2.99 0.0.0.0 eq ftp

 

WARNING! Be careful not to cut off your remote access when applying an input Access List.

Verifying Access Lists

When you have applied Access Lists to a routers interface, you can verify if it is working by issuing the ?sh access-list? command. This will show you the number of matches which an Access List has made:

Router#show access-list 101

Extended IP access list 101

permit tcp any host 192.168.1.4 eq 23 (1 matches)

permit tcp any host 192.168.1.5 eq ftp (7 matches)

permit ip any any (4867 matches)

 
 
Or if you enable the logging option in your access list, you could look at the routers log:
 
Dec  6 16:21:51.350: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
192.168.0.1(35265) (FastEthernet3/0 0002.559c.f66e) -> 192.168.1.4(23), 1 packet
Diposting oleh di
Label:

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)