Access Control Lists: Advanced Systems Administration Course
Access Control Lists: Advanced Systems Administration Course
Access Control Lists: Advanced Systems Administration Course
Fred Msumeno University computing Centre Ltd, University of Dar es salaam, E-mail: mfred@udsm.ac.tz Website: www.udsm.ac.tz
To create an access list, you specify the protocol to filter, you assign a unique name or number to the access list, and you define packet filtering criteria. A single access list can have multiple filtering criteria statements. Note Access lists of some protocols must be identified by a name, and access lists of other protocols must be identified by a number. Some protocols can be identified by either a name or a number. When a number is used to identify an access list, the number must be within the specific range of numbers that is valid for the protocol.
Range
Cont
Source-route bridging (vendor code) 700 to 799
IPX
800 to 899
Extended IPX
900 to 999
IPX SAP
1000 to 1099
Standard VINES
1 to 100
Extended VINES
101 to 200
Simple VINES
201 to 300
Terms
Inbound Traffic that a device receives through its interfaces Outbound Traffic that leaves the device through its interfaces Standard IP access list ranges (1 - 99) & (1300-1999) simpler address specifications generally permits or denies entire protocol suite Extended IP access list ranges (100 - 199) & (2000-2699) more complex address specification generally permits or denies specific protocols
Configuration example
For a router with two interfaces, fastEthernet 0/0(LAN interface) and FastEthernet0/1(WAN interface) you configure as follows:DUCE-RTR#config t DUCE-RTR(config)#access-list 107 deny tcp any any eq 445 This tells the roter to block tcp perkets on port 445 from any source to any destination DUCE-RTR(config)#access-list 107 permit ip 196.44.160.128 0.0.0.7 any This tells the router to permit IP(any IP in this network)196.44.160.128 with mask 255.255.255.248(wildcard 0.0.0.7) to any IP(any network)
Configurations cont
Instead of adding one-by one access list you may create access list on a separate file and then apply them at once in the router access-list 107 deny tcp any any eq 1236 access-list 107 deny udp any any eq 1236 access-list 107 deny tcp any any eq 1062 access-list 107 deny udp any any eq 1062 access-list 107 permit ip 196.44.168.8 0.0.0.7 any access-list 107 permit ip 82.206.143.64 0.0.0.7 any access-list 107 permit ip 196.44.160.0 0.0.7.255 any access-list 107 permit ip 10.103.161.0 0.0.0.255 any access-list 107 permit ip 196.44.160.128 0.0.0.7 any access-list 107 deny ip any any
Configuration cont
access-list 108 deny tcp any any range 135 139 access-list 108 deny udp any any range 135 netbios-ss access-list 108 deny tcp any any eq 445 access-list 108 deny tcp any any eq 1434 access-list 108 deny udp any any eq 1434 access-list 108 deny tcp any any eq 6667 access-list 108 permit ip 196.44.160.128 0.0.0.7 any access-list 108 deny ip any any
Cont
Then go to the router configuration mode and apply all access list at once . After that apply the access control list 107 as inbound access list on the LAN interface and access control list 108 as outbound on the WAN interface DUCE-RTR(config)#interface fastEthernet 0/0 DUCE-RTR(config-if)#ip access-group 107 in Exit from in LAN interface and go to the WAN interface DUCE-RTR(config)#interface fastEthernet 0/1 DUCE-RTR(config-if)#ip access-group 108 out Exit the interface and save the configuration
EXERCISE
1.
Configure your router LAN interface with access list to do the following a . Deny tcp access to your network at ports 445, 135 to 139 b. Deny udp access to your network at ports 445, 1236, 16384 to 16403 c. Deny any access from your network to a host 196.44.161.110 d . Deny access from one of the host in your network to internet e. Permit access from your network to 196.44.160.0 with mask 255.255.240.0 f. Permit any access from your network to 82.206.143.64 with mask 255.255.255.248
EXERCISE Cont.
2. Configure your router WAN interface with the following access control lists. a. permit your network to access any thing to the internet b .permit smtp service from two hosts(mail servers ) to any server over the internet
EnD