Standard, Extended and Named ACL

 In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to control access ◦ Types of Cisco ACLs.  Standard ACL  Extended ACL  Named ACL

 An ACL is a router configuration script that controls whether a router permits or denies packets  By default, a router does not have any ACLs configured and therefore does not filter traffic.

 These are examples of IP ACLs that can be configured in Cisco IOS Software: ◦ Standard ACLs ◦ Extended ACLs ◦ IP-named ACLs ◦ And Others

 Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.  Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.  Configure ACLs on border routers, the routers situated at the edges of your networks to act as a buffer from the outside network

ACL Operation - Inbound ACLs  ACL statements operate in sequential order.  If a packet header and an ACL statement match, the rest of the statements in the list are skipped  If a packet header does not match an statement, the packet is tested against the next statement in the list.  A final implied (IMPLICIT DENY) statement covers all packets for which conditions did not test true.

# access-list 99 deny # access-list 99 permit any

 Extended ACLs ◦ Extended ACLs filter IP packets based on several attributes,  protocol type,  source and IP address, destination IP address,  source TCP or UDP ports, destination TCP or UDP ports ◦ In the figure, ACL 102 deny FTP and Telnet traffic originating from any address on the /24 from leaving the network

Access-list 102 deny tcp any eq telnet Access-list 102 deny tcp any eq ftp Access-list 102 permit any Apply access list ‘inbound’ to Fa 0/1 interface of R1

 Deny all traffic from private IP address  Allow all IP sessions already established with the ack bit turned.  deny anyone from entering your network from the outside with an internal address (spoofing your network) and log each packet occurrence.  deny the infamous Donald Dick and Prosiak ports.  deny the Deepthroat and Sockets des Troie ports.  deny any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery.  permits packets that were not previously rejected to enter your network.

1. access-list 100 deny ip any log 2. access-list 100 deny ip any log 3. access-list 100 deny ip any log 4. access-list 100 deny ip any host log 5. access-list 100 permit ip any [your network IP address] [your network mask] est 6. access-list 100 deny ip [your network IP address] [your network mask] any log 7. access-list 100 deny tcp any any eq log 8. access-list 100 deny tcp any any range log 9. access-list 100 deny udp any any eq snmp log 10. access-list 100 permit ip any any

 Entry 5—“permit ip any [your network IP address] [your network mask] est”— automatically allows all IP sessions already established with the ack bit turned. The purpose of this entry is to ensure that if your firewall allows a connection request to leave your network, the router doesn’t stop its return.  Entry 6—“deny ip [your network IP address] [your network mask] any log”—denies anyone from entering your network from the outside with an internal address (spoofing your network) and logs each packet occurrence. This is very important for good security.  Entry 7—“deny tcp any any eq log”—denies the infamous Donald Dick and Prosiak ports.  Entry 8—“deny tcp any any range log”—denies the Deepthroat and Sockets des Troie ports.  Entry 9—“deny udp any any eq snmp log”—denies any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery.  Entry 10—“permit ip any any”—permits packets that were not previously rejected to enter your network.