Discovery 25: Configure Standard and Extended Acls
Discovery 25: Configure Standard and Extended Acls
Discovery 25: Configure Standard and Extended Acls
com/content/xtrac/2
Note
When telnetting to port 80 or 443 you might need to press Enter to get the system to respond after the session is established.
On PC1 and PC2, enter the following commands:
PC1# telnet r1
Translating "r1"...domain server (203.0.113.30) [OK]
Trying r1 (198.51.100.2)... Open
Password: (cisco)
Password:
R1> exit
it traverses the network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of
the network device. There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets that match log-
enabled access control entries (ACEs) and the generation and transmission of log messages. Care should be taken when using the log option in a production
network.
The ACL is then applied to all router vty lines in the in direction since the connection attempts will be viewed as inbound from the perspective of the
router.
Step 6: Test the ACL by initiating a Telnet session from PC1 to R1. Repeat the test from PC2 To R1. On R1, verify the syslog messages and the ACL
matches.
On PC1, P2, and R1, enter the following commands:
PC1# telnet r1
Translating "r1"...domain server (203.0.113.30) [OK]
Trying r1 (198.51.100.2)... Open
Password: (cisco)
R1> exit
PC2# telnet r1
Translating "r1"...domain server (203.0.113.30) [OK]
Trying r1 (198.51.100.2)...
% Connection refused by remote host
R1#
*Jul 19 04:13:17.927: %SEC-6-IPACCESSLOGNP: list VTY-ACCESS denied 0 203.0.113.40 -> 0.0.0.0, 1 packet
The access list will be applied on R1 to interface Ethernet 0/3 in the inbound direction with the following objectives in mind:
A named extended ACL called TRAFFIC-FILTER is configured with the following ACEs:
Notice the use of the established parameter for two of the ACEs. The established parameter allows only responses to traffic that originated from the
10.10.1.0/24 network to return to that network from any HTTP or HTTPS public server. A match occurs if the returning TCP segment has the ACK or reset
(RST) bits set, which indicates that the packet belongs to a pre-established connection. Without the established parameter in the ACL statement, clients could
send traffic to a web server, but not receive traffic returning from that web server.
When filtering return traffic, the source port number must be checked. You can see this being accomplished in lines 4, 5, and 6.
The ACL is applied inbound on R1’s public-facing interface (Ethernet 0/3) since the objective is to filer traffic arriving from the public IP address space.
Step 8: Perform the following tests to verify ACL functionality: