Saturday, August 27, 2011

Extended Access Control Lists (ACLs) breakdown

I’m working on ACLs, so I thought I would write something about them. I’ve come across a lot of  good information like Cisco is easy's ACL posts, but I wanted to suppliment and visualize the options available when writing or determining what ACLs are doing. So, this tid bit covers  Extended ACLs and the options available to them. 

I wrote up two examples that I hope explore what Extended ACLs can do. It’s important to bare in mind that there are 3 ways to write the address portions of an ACL.

 The first is with the “host” option:
access-list 110 permit tcp host 10.0.200.1 any eq 80

 The second is via wild card mask:
access-list 110 permit tcp 172.16.26.2 0.0.31.255 any eq 80

The third is the “any” option which can also be written as “0.0.0.0 255.255.255.255” .

access-list 110 permit tcp any any eq 80
or  
access-list 110 permit tcp 0.0.0.0 255.255.255.255 any eq 80

The last trick to keep in mind is when applying ACL filtering to all traffic from a subnet or IP range, the source traffic type should be “IP” - 
access-list 192 deny IP any 10.1.1.0 0.255.255.255 
This ACL denies everything to the 10.1.1.0/8 network. This essentially blocks all IP traffic. 

--

Let’s look at two examples:

The first example denies the workstation with address 192.168.10.1 access to web services on any server in the 10.1.0.0 /16 subnet. In this case, traffic destined for http (port 80) will get filtered no matter what source port it originates from. 

access-list 110 deny tcp host 192.168.10.1 10.1.1.0 0.0.255.255 eq 80

The second example is to permit tftp traffic from any host in the 192.160.0.0 /20 network to any server in the 10.1.1.0/24 network. With this ACL I am not only filtering traffic going to port 69, but I’m only allowing that traffic to originate from port 69. Granted this is something you’ll never see, it proves the point of filtering source ports as well as destination.

access-list 198 permit udp 192.168.20.0 0.0.15.255 eq tftp 10.1.1.0 0.0.0.255 eq 69

Let's break the ACL down a bit.




Then we should have a look at the options available for extended ACLs.



Now that we have a good visual representation of the extended ACLs lets see it in action. Here is the simple set up. 


 I entered the second extended ACL (example #2, ACL #198) to show the source port filtering option. This ACL is placed on interface fast ethernet 0/1, the interface that the 192.168.20.20/20 network is connected to. It is placed to filter inbound traffic. 

I tend to think of ACLs as nets on the interface. So, when traffic is coming in it gets caught in the net. Pardon my poor drawing skills.


  Extended ACLs are to be placed closest to the source. Which to me, makes sense. I would think you would want the traffic to be filtered before your routers have to do any wasted work routing packets that will just get dropped by the ACL.

I generated some traffic from port 69 on PC 0 with IP 192.168.20.20 and of course the destination was the TFTP server, port 69 with the address 10.1.1.254. You can see a packet from PC0 make its way here:

*Note: the packet was dropped at the TFTP server due to the absence of data in the packet. It was sent from a traffic generated and contained no upper  layer data. So, it was dropped at the server.



Next, I sent some random generated traffic out of PC0 to the TFTP server. this came out of port 64353 going to destination port 69. In this case, the destination port and address were in the ACL: 
access-list 198 permit udp 192.168.20.0 0.0.15.255 eq tftp 10.1.1.0 0.0.0.255 eq 69
However the source port, 64353 is not in the ACL and so it doesn't match the rule and so it falls to the hidden catch all at the end of every ACL, 
deny any any

You can see the hidden deny rule take effect and the source and destination ports in the following:
*Note: the receiving port noted is port fa0/1 on the router where the ACL is placed inbound.



Hopefully, this sheds some light on the options and ways to write extended ACLs. To supplement this I've added some explanations of what the options are that are available in the ACLs.

 deny    Specify packets to reject

 permit  Specify packets to forward
 remark  Access list entry comment

ahp    Authentication Header Protocol
  eigrp  Cisco's EIGRP routing protocol
  esp    Encapsulation Security Payload
  gre    Cisco's GRE tunneling
  icmp   Internet Control Message Protocol
  ip     Any Internet Protocol
  ospf   OSPF routing protocol
  tcp    Transmission Control Protocol
  udp    User Datagram Protocol

A.B.C.D  Source address
  any      Any source host
  host     A single source host

  A.B.C.D  Source wildcard bits

A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers

  A.B.C.D  Destination wildcard bits
  <0-65535>  Port number
  ftp        File Transfer Protocol (21)
  pop3       Post Office Protocol v3 (110)
  smtp       Simple Mail Transport Protocol (25)
  telnet     Telnet (23)
  www        World Wide Web (HTTP, 80)

dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  established
  gt           Match only packets with a greater port number
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  precedence   Match packets with given precedence value
  range        Match only packets in the range of port numbers

etc.

1 comment: