ACL(Access Control Lists) - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

ACL(Access Control Lists)

Description:

Standard , Extended and Named ACL * Graphic 5.2.7.1 In this lesson, you will learn: Purpose of ACLs Its application to an enterprise network How ACLs are used to ... – PowerPoint PPT presentation

Number of Views:251
Avg rating:3.0/5.0
Slides: 20
Provided by: acuk
Category:
Tags: acl | access | acls | control | lists

less

Transcript and Presenter's Notes

Title: ACL(Access Control Lists)


1
ACL(Access Control Lists)
  • Standard , Extended and Named ACL

2
Objectives
  • In this lesson, you will learn
  • Purpose of ACLs
  • Its application to an enterprise network
  • How ACLs are used to control access
  • Types of Cisco ACLs.
  • Standard ACL
  • Extended ACL
  • Named ACL

3
ACL (Access Control Lists)
  • An ACL is a router configuration script that
    controls whether a router permits or denies
    packets
  • By default, a router does not have any ACLs
    configured and therefore does not filter traffic.

4
Types of ACL
  • These are examples of IP ACLs that can be
    configured in Cisco IOS Software
  • Standard ACLs
  • Extended ACLs
  • IP-named ACLs
  • And Others

5
Guidelines for using ACLs
  • Use ACLs in firewall routers positioned between
    your internal network and an external network
    such as the Internet.
  • Use ACLs on a router positioned between two parts
    of your network to control traffic entering or
    exiting a specific part of your internal network.
  • Configure ACLs on border routers, the routers
    situated at the edges of your networks to act as
    a buffer from the outside network

6
ACL Operation - Inbound ACLs
  • ACL statements operate in sequential order.
  • If a packet header and an ACL statement match,
    the rest of the statements in the list are
    skipped
  • If a packet header does not match an statement,
    the packet is tested against the next statement
    in the list.
  • A final implied (IMPLICIT DENY) statement covers
    all packets for which conditions did not test
    true.

7
Placement of Standard ACL
access-list 99 deny 192.168.10.0 0.0.0.255
access-list 99 permit any
8
Extended ACL
  • Extended ACLs
  • Extended ACLs filter IP packets based on several
    attributes,
  • protocol type,
  • source and IP address, destination IP address,
  • source TCP or UDP ports, destination TCP or UDP
    ports
  • In the figure, ACL 102 deny FTP and Telnet
    traffic originating from any address on the
    192.168.10.0/24 from leaving the network

9
Placement of ACLs - Extended.
Access-list 102 deny tcp 192.168.10.0 0.0.0.255
any eq telnet Access-list 102 deny tcp
192.168.10.0 0.0.0.255 any eq ftp Access-list 102
permit any Apply access list inbound to Fa 0/1
interface of R1
10
Commenting ACLs
11
Standard named ACL
12
NACL example
13
Extended NACLs
14
Editing named ACLs
15
Example NetworkControlling inbound access
  • Deny all traffic from private IP address
  • Allow all IP sessions already established with
    the ack bit turned.
  • deny anyone from entering your network from the
    outside with an internal address (spoofing your
    network) and log each packet occurrence.
  • deny the infamous Donald Dick and Prosiak ports.
  • deny the Deepthroat and Sockets des Troie ports.
  • deny any snmp requests from the outside. SNMP is
    a valuable tool to hackers for network discovery.
  • permits packets that were not previously rejected
    to enter your network.

16
ExampleInbound access control list
  1. access-list 100 deny ip 10.0.0.0 0.255.255.255
    any log
  2. access-list 100 deny ip 172.16.0.0 0.15.255.255
    any log
  3. access-list 100 deny ip 192.168.0.0 0.0.255.255
    any log
  4. access-list 100 deny ip any host 127.0.0.1 log
  5. access-list 100 permit ip any your network IP
    address your network mask est
  6. access-list 100 deny ip your network IP address
    your network mask any log
  7. access-list 100 deny tcp any any eq 22222 log
  8. access-list 100 deny tcp any any range 60000
    60020 log
  9. access-list 100 deny udp any any eq snmp log
  10. access-list 100 permit ip any any 

17
Explaining commands
  • Entry 5permit ip any your network IP address
    your network mask estautomatically allows all
    IP sessions already established with the ack bit
    turned. The purpose of this entry is to ensure
    that if your firewall allows a connection request
    to leave your network, the router doesnt stop
    its return.
  • Entry 6deny ip your network IP address your
    network mask any logdenies anyone from
    entering your network from the outside with an
    internal address (spoofing your network) and logs
    each packet occurrence. This is very important
    for good security.
  • Entry 7deny tcp any any eq 22222 logdenies
    the infamous Donald Dick and Prosiak ports.
  • Entry 8deny tcp any any range 60000 60020
    logdenies the Deepthroat and Sockets des Troie
    ports.
  • Entry 9deny udp any any eq snmp logdenies any
    snmp requests from the outside. SNMP is a
    valuable tool to hackers for network discovery.
  • Entry 10permit ip any anypermits packets that
    were not previously rejected to enter your
    network.

18
Monitoring and verifying ACLs
19
Task Configure standard and Extended ACL
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "ACL(Access Control Lists)" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!