Access Lists
- What are they?
- Standard Access Lists
- Extended Access Lists
- Enabling and Disabling
- Modifying Access Lists
- DNS Access Example
- Issues and Drawbacks
What are they?
The access list is a group of statements. Each statement defines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated access list, the list is scanned from top to bottom--in the exact order that it was entered--for a pattern that matches the incoming packet. A permit or deny rule associated with the pattern determines that packet's fate. You also can use a mask, which is like a wild card, to determine how much of an IP source or destination address to apply to the pattern match. The pattern statement also can include a TCP or UDP (User Datagram Protocol) port number.Access list statements are entered one line at a time, and the list is scanned for a match in that same order. If you must make a change, you have to re-enter the entire list. Also, keep in mind that once you associate the list with an interface, any packet not processed by the list is dropped by default.
Once the access list is entered, you must associate it with the interface on the router where you want to apply the filtering. You can apply the list to incoming packets, (an "in" access list) or outgoing packets (an "out" access list). In most cases, either list will work. For out access lists, you need to set up the filter only on the one outgoing interface rather than on the individual incoming interfaces. This improves performance because only the network you are protecting will force a lookup on the access list.
Standard Access Lists
Access lists are generally broken into 2 major groups, standard and extended. Standard access lists only operate on the Network layer of the OSI model. These are used to block or permit networks from reaching other networks. For example, suppose I have a network with a web server on it. I would like to have the router filter traffic going to that webserver so that only a few home users and all users at work can access that machine. I could use a standard access list to permit these allowed hosts and deny traffic from every other host on the Internet.To enable an access list such as this for IP, we need to configure an access list in the range of 1 to 99. For example:
access-list 1 permit 206.50.17.0 0.0.0.255The first part shows "access-list" which is what all access lists start with, regardless of what network technology is used. The next part is "1" which specifies the # of the access list. To add additional rules to this list, you would start each line with "access-list 1". Permit indicates to the router that this is a rule specifying what should be allowed. Next is the network and subnet mask pair. Notice, however, that the subnet mask is inversed. Normally, for a /24 you would use a netmask of 255.255.255.0, but in access-lists, the subnet masks are inversed so that 255.255.255.0 becomes 0.0.0.255. The 255 in this case means ignore the last octet of the address when looking for a matching packet.
Extended Access Lists
Extended access lists function on both layer 3 and 4 of the OSI model. That is, they allow you to filter not only by network address but also by the type of traffic that is being sent or received. Extended access lists are much more flexible and allow for much greater control of traffic into and out of your network than standard access lists.Let's go through an example to see how extended access-lists work.
fred# config t
fred(config)# access-list udp 100 permit any 172.50.10.0 0.0.0.255 eq 53
fred(config)# access-list tcp 100 permit any 172.50.10.0 0.0.0.255 eq 25
fred(config)# access-list tcp 100 deny 172.50.12.0 0.0.0.255 172.50.10.0 0.0.0.255
fred(config)# access-list tcp 100 permit any any
fred(config)# int s1
fred(config-if)# ip access-group 100 in
fred(config-if)# exit
fred(config)# exitThe first line takes into configuration mode so that we can setup our access list. The next line configures access list 100 to permit any traffic from 172.50.10.0/24 to reach our network on port 53. I know that this is for inbound traffic because of the line that says "ip access-group 100 in". When designing access lists, it is important to know before hand how you are designing your access-list whether for inbound or outbound traffic.
The third line specifies that SMTP traffic from 172.50.10.0/24 is to be allowed into our network. Next, traffic from 172.50.12.0/24 is not allowed to go to the network 172.50.10.0/24. Finally, any traffic that did not match any of the above rules is allowed by the line that says "access-list tcp 100 permit any any".
Let's look at another couple of examples.
Denying access to a host
Our first example is a statement that denies access to a host with the IP
address of 130.120.110.100. Make sure you are at the "enable" level
and enter "config" mode (or config terminal), and enter the
following:access-list 101 deny ip 0.0.0.0 255.255.255.255 130.120.110.100 0.0.0.0The 255 mask on every octet of the source address signifies that the whole source address in the filter should be ignored. Technically, it doesn't matter what you use as the IP source address here, because it will be ignored. The all 0's mask on the destination address means that you want to apply the entire address. If you wanted to deny access to all addresses on the 130.120.110 network, you would use a mask of 0.0.0.255. The 255 in this case means ignore the last octet of the address when looking for a matching packet.
Allowing access only to HTTP on a host
Here, we permit access only to the HTTP port on the host and deny all other
access to the host. This requires two lines: access-list 101 permit tcp 0.0.0.0 255.255.255.255 130.120.110.100 0.0.0.0 eq 80
access-list 101 deny ip 0.0.0.0 255.255.255.255 130.120.110.100 0.0.0.0The first statement matches any packet with 130.120.110.100 as the destination IP address and with a TCP port equal to 80. The second rule applies a match to all IP packets with the destination address, thus denying access to all packets that are not permitted because of the previous rule.
Tying Up Loose Ends
Although all unmatched packets are dropped by default, it's still a good
idea to end the list with a statement that denies everything. This helps you
keep track of the end of the list:access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255Of course, if you want to begin your list by denying specific packets and you want to allow everything else, you would use the same statement with a permit instead of a deny. An easier way to state this is to use the following syntax:
access-list 101 deny ip any anyThis statement functions exactly the same as the previous one, and later versions of the IOS will translate the longer version into this shorter version when you display it.
When you display the list, you may find that some of the TCP and UDP port numbers have been changed to a verbose description. We prefer to enter numbers because they are backward-compatible with previous IOS versions.
Enabling and Disabling
In our above example, there are 2 lines use to apply, or enable, the access list to an interface. The first line is "int s1" which takes you into the configuration for that interface. The second line, "ip access-group 100 in" sets up the access list 100 to act as an inbound filter for that interface. An interface can only have 1 inbound and 1 outbound access list applied to it at any one time.As soon as you enter this command, the access list will immediately take effect. It's helpful to start a continuous ping in another window to a host on the other side of the interface that you're filtering to monitor its accessibility while applying the list. Save your changes with a "write memory" and a "write network" if you're backing your configurations up on a TFTP server.
If we wanted to take down the access list, for example to troubleshoot a connectivity problem, we would need to remove the line from the configuration that says "ip access-group 100 in". To do this, we can type the following:
fred# config t
fred(config)# int s1
fred(config-if)# no ip access-group 100 in
fred(config-if)# exit
fred(config)# exitThis only disables the access list. It does not delete or remove it from the configuration. Access-list 100 is still present in the configurations. It is generally advisable that if you are modifying an access-list that you disable it before making any modifications so that just in case you make a mistake, you won't stop any wanted traffic, such as your users or yourself.
Modifying Access Lists
You can use the "show config" command to see which access groups are associated with particular interfaces. This command also will list all of the access list statements at the end. An easier way to look at the access lists is the "show access list" command. If you use an access list number as an argument, you will only see that list. (Do this before choosing an access list number to make sure it is not already in use.) This command also will give you statistics on matches to every access list statement. To clear all the statistics, issue a "clear access-list counters," using the list number as an argument to designate a specific list.You cannot easily go back and insert a change into an access list because the statements are processed in the order that they are originally entered into the router. Instead, what many administrator do is to use a text editor such as Notepad or VIM to hold a copy of the access list. After viewing the running configuration, copy the access list to your text editor. Make any modifications that you are going to make to the access list. Then, you will need to disable the old access-list, delete it, add the new one, and then enable it. Here's how you can do that.
fred# config t
fred(config)# int s1
fred(config-if)# no ip access-group 100 in
fred(config-if)# exit
fred(config)# no access-list 100
fred(config)# INSERT YOUR NEW LIST HERE
fred(config)# int s1
fred(config-f)# ip access-group 100 in
fred(config-if)# exit
fred(config)# exit
fred# copy start run
DNS Access Example
Below are the commands to permit DNS access through your firewall to the DNS server 192.168.1.1.access-list 122 permit udp any gt 1023 host 192.168.1.1 eq domain
access-list 122 permit tcp any gt 1023 host 192.168.1.1 eq domain
access-list 122 permit udp any eq domain host 192.168.1.1 gt 1023
access-list 122 permit tcp any eq domain host 192.168.1.1 gt 1023
access-list 122 permit udp any eq domain host 192.168.1.1 eq domain
Issues and Drawbacks
Access lists are great for doing simple filtering and security for basic networks. However, there are some things to keep in mind when building and implementing them. First, the longer an access list, the more processor time it uses. Really long access lists can slow your router down significantly and even put an appreciable wait time for users trying to access machines on your network. Second, make sure that you put your most general statements at the top. That is, any statements that affect most of your users should be placed near the top of an access list while more specific statements that may only affect one machine should be placed near the bottom. Remember that access lists work serially, one right after the other. Third, access lists are not dynamic, so they cannot adapt to changing network or security situations. Therefore, as things get more complex, you might want to consider a true firewall package to use in its place.Note: If you are not sure about how to use Access list, please read my Access list tutorial
Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The
access list has been configured on the S0/0 interface of router RTB in the
outbound direction. Which two packets, if routed to the interface, will be
denied? (Choose two)access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23
Answer: D E
Explanation
First we notice that telnet uses port 23 so only D, E & F can satisfy
this requirement.The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.
Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47
-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.
Question 2
Refer to the graphic. It has been decided that PC1 should be denied access
to Server. Which of the following commands are required to prevent only PC1
from accessing Server1 while allowing all other traffic to flow normally?
(Choose two)Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any
Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in
this manner?B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network
Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the
best answer here is “to prevent students from accessing the command prompt of
RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network.
This access list is applied to “line vty 0 4″ so it will permit only Telnet
traffic from “Admin” to RA while drop all other traffic (because of the
implicit “deny all” command at the end of the access list). Therefore we can
deduce that it will “prevent students from accessing the command prompt of RA”.This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
An access list was written with the four statements shown in the graphic.
Which single access list statement will combine all four of these statements
into a single statement that will have exactly the same effect?B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255
Answer: C
Explanation
Four statements above allow 4 networks (from 172.29.16.0/24 to
172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22./22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.
A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255
Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.
Question 5
A network administrator wants to add a line to an access list that will
block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server
at 192.168.1.5. What command should be issued to accomplish this task?A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any
Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to
use is 23 -> C is not correct.Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 6
As a network administrator, you have been instructed to prevent all traffic
originating on the LAN from entering the R2 router. Which the following command
would implement the access list on the interface of the R2 router?A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out
Answer: C
Question 7
The following access list below was applied outbound on the E0 interface
connected to the 192.169.1.8/29 LAN:access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied
Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access
list, so if an access list doesn’t have any “permit” command, it will block all
the traffic. If we use the command “access-list 135 permit ip any any” at the
end of this access list then the answer should be C – FTP traffic from
192.169.1.9 to any host will be denied.
Question 8
The access control list shown in the graphic has been applied to the
Ethernet interface of router R1 using the ip access-group 101 in command. Which
of the following Telnet sessions will be blocked by this ACL? (Choose two)B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8
Answer: B D
Explanation
Below is the simple syntax of an extended access list:access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 9
The following configuration line was added to router R1Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations
Answer: A
Comments
Comment pages
- name
September 13th, 2012
Where it is possible to buy the,
- Anonymous
September 16th, 2012
Thanks for sharing all the review for this page. I
would just like to point out a simple “typo” error in question 1 concerning
subnet # 192.168.15.32/29. with subnet mask of 255.255.255.240 with an
increment of 16
Instead ….a /29 should have a mask of
255.255.255.248 with an increment of 8.
I hope the actual question does not reflect the
typo error.
- Anonymous
September 16th, 2012
In connection with the above statement about the
typo … I would think it’s best to look at and pay attention to the actual ACL
statement, instead of the actual diagram.
I’m in the process of taking my exams soon and I
hope this is not one the world famous Cisco exam tricks to confuse us …LOL
Take note that the ACL statement says ….
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
Calculating….. 255-15 = 240 which is our subnet
mask of 255.255.255.240
- Anonymous
September 16th, 2012
Yeah, 192.168.15.40/29 is not even a subnet but is
an actual host address of the 192.168.15.32/29 network
Better watch out since Cisco will be out there to
trick you!
Number of Usable Addresses: 14
Network Address: 192.168.15.32
Broadcast Address: 192.168.15.47
First Host Address: 192.168.15.33
<<<<<our 192.168.15.40 is between these range
Last Host Address: 192.168.15.46
Network Address: 192.168.15.32
Broadcast Address: 192.168.15.47
First Host Address: 192.168.15.33
<<<<<our 192.168.15.40 is between these range
Last Host Address: 192.168.15.46
No comments:
Post a Comment