All the topics discussed to this point in the chapter have covered the different steps that an administrator needs to take to protect the router itself. The next step you need to learn is how to configure the router to protect the network behind it. This can be done by using access lists or enhanced access lists, such as dynamic or time-based access lists. If a device is running a security image, those networks can also be protected by using Context-Based Access Control (CBAC).
On a router, access lists are used as packet filters to decide which packets can go across a certain interface. Packets that are allowed on an interface are called
permitted packets and packets that are not allowed are called
denied packets. Access lists can consist of one or more statements that determine what data is permitted and denied on an interface. The statements are known as Access Control Entries (ACE). It is important to use well-written access lists to restrict access because Cisco router security is highly dependent on them for filtering packets as they travel across the network.
A router can identify an access list by either a name or a number. Table 8-2 lists some of the commonly used access list numbers and their associated types.
Access List Number | Type |
|---|---|
199 | IP standard access list |
100199 | IP extended access list |
800899 | IPX standard access list |
10001099 | IPX SAP access list |
13001999 | IP standard access list (expanded range) |
20002699 | IP extended access list (expanded range) |
Starting with Cisco IOS version 11.2, access lists can be identified by a name rather than just by a number. By using named access lists, you can identify an access list more easily than if you are using numbered access lists alone. The command syntax for named access lists is also slightly different. As stated in Table 8-2, there are two types of IP access lists:
Standard IP access lists This type can filter IP packets based on the source address only.
Extended IP access lists This type can filter IP packets based on several attributes, including the following:
- Source IP address
- Destination IP address
- Source TCP or UDP port
- Destination TCP or UDP port
- Protocol
The command syntax for a standard numbered access list is as follows:
access-list
access-list-number {
deny |
permit }
source [
source-wildcard ]
Table 8-3 describes the commands you can use when configuring a numbered access list.
Command | Description |
|---|---|
access-list-number | Serves dual purposes:
|
Deny | Drops all packets matching the specific source address. |
Permit | Allows all packets matching the specific source address to flow through the interface. |
Source | Specifies the IP address of a host or group of hosts (if a wildcard mask is specified). |
source-wildcard | The wildcard mask is applied to the source group of hosts whose packets are to be examined. |
Example 8-7 shows a standard numbered access list.
Brussels(config)# access-list 1 permit 10.1.4.3 Brussels(config)# access-list 1 deny 10.1.0.0 0.0.255.255 Brussels(config)# access-list 1 permit 10.0.0.0 0.255.255.255
Network 10.0.0.0 is a class A address whose second octet specifies a subnet; the subnet mask is 255.255.0.0. The third and the fourth octets of the 10.0.0.0 address specify a particular host. The access list in Example 8-7 would accept one address from subnet 1 and reject all other addresses from that subnet. The last line indicates that this access list would accept addresses on all other 10.0.0.0 subnets.
NOTE
When building either standard numbered or named access lists, by default, the end of the access list is an implicit
deny all statement. Also, if you do not use a mask, the mask defaults to 0.0.0.0.
In addition to the keywords described previously, standard numbered IP access lists support the keywords described in Table 8-4.
Keyword | Description |
|---|---|
any | Specifies any host. This is the same as typing 0.0.0.0 255.255.255.255. |
host | Specifies an exact host match. This is the same as using a mask of 0.0.0.0. |
log | Enables the logging of packets that match the deny or permit statement. |
The syntax for creating a standard named access list is as follows:
ip access-list standard
access-list-name {
deny |
permit }
source {
source-wildcard }
access-list
access-list-number {
deny |
permit } {
protocol-number |
protocol-keyword } {
source source-wildcard |
any |
host }
operator {
source-port } {
destination
any |
host }
operator {
destination-port } [
established ] [
log |
log-input ]
Table 8-6 describes the commands that can be used when configuring extended numbered access lists.
Command | Description |
|---|---|
access-list-number | Represents the number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. |
Deny | Denies access if the conditions are matched. |
Permit | Permits access if the conditions are matched. |
protocol-number | Specifies an integer in the range from 0 to 255 representing an Internet protocol number. |
protocol-keyword | Represents the name of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp , or udp. |
source | Represents the number of the network or host from which the packet is being sent. |
source-wildcard | Represents the wildcard bits to be applied to source. |
source-port | Specifies the port from which the packet originated. |
destination | Represents the number of the network or host to which the packet is being sent. |
destination-wildcard | Represents the wildcard bits to be applied to the destination. |
destination-port | Specifies the port to which the packet is being sent. |
operator | Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard , it must match the source port. If the operator is positioned after the destination and destination-wildcard , it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
established | Represents the TCP protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK, FIN, PSH, RST, or URG control bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
log | Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number; whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. By default, the message is generated for the first packet that matches and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
log-input | Includes the input interface and source MAC address or VC in the logging output. |
any | Specifies any host. This is the same as using 0.0.0.0 255.255.255.255. |
host | Specifies an exact host match. This is the same as a wildcard mask of 0.0.0.0. |
Example 8-8 shows an extended numbered access list.
Brussels(config)# access-list 101 permit tcp any 134.34.0.0 0.0.255.255 Brussels(config)# access-list 101 permit tcp any host 134.35.1.1 eq smtp
In this example, all TCP packets with destination 134.34.0.0 are permitted. All SMTP packets going to 134.35.1.1, which is a mail server, are permitted by this access list.
ip access-list extended
access-list-name {
deny |
permit } {
protocol-number |
protocol-keyword } {
source source-wildcard |
any |
host }
operator {
source-port }
destination destination-wildcard |
any |
host }
operator {
destination-port } [
established ]
log |
log-input ]
All keywords have the same meaning as with the numbered extended access lists.
NOTE
You can add a comment in a named access list that helps you recognize an access list with the
remark keyword. A remark can contain up to 100 characters.
access-list 101 remark allow traffic to mail server
Access lists must be applied to a router interface to take effect. When an access list is applied to an interface, you also have to configure the direction of the data flow, as shown in Figure 8-1.
As you can see in Figure 8-1, there are two directions:
Inbound The access list is applied to packets flowing toward the router interface.
Outbound The access list is applied to packets flowing away from the router interface.
The interface command to apply an access list to an interface is as follows:
ip access-group {
access-list-number |
access-list-name } {
in |
out }
Table 8-7 describes the keywords you can use when assigning the access list to an interface.
Keyword | Description |
|---|---|
access-list-number | Number of the IP standard or extended numbered access list |
access-list-name | Name of the IP standard or extended named access list |
In | Filters on inbound packets |
Out | Filters on outbound packets |
To display the access list you configured, you can use the command
show access-lists followed by the access list name or number. There are many more
show commands for access lists. This command shows all access lists configured on that device.
Several types of enhanced access lists can be configured on a router. So far, only standard and extended access lists have been discussed in this chapter. Enhanced access lists were designed to secure routers and their networks better. They all have special features, and selection depends on your particular needs for security. The following types of access lists are available:
Dynamic access lists
Time-based access lists
Reflexive access lists
Dynamic access lists, also known as lock-and-key, create specific, temporary openings in response to user authentication. It is highly recommended to use a TACACS+ server for the authentication of the user. TACACS+ provides authentication, authorization, and accounting services and is discussed in more detail in Chapter 11. In the example illustrated in Figure 8-2, no TACACS+ server has been included for authentication for the sake of simplicity. Figure 8-2 shows a user connected to the Internet. The user is trying to connect to a device in the internal network.
To be able to connect to the device, the user needs a dynamic access list on Router A and a username for local authentication. Configure a username so that the user can access the device by using following command:
Tokyo(config)#username user password te5t
Because you should not count on the user to issue the
access-enable command correctly, you need the line that follows under vty 0 4. The
access-enable command is used to create a temporary access list entry in a dynamic access list.
Tokyo(config)#line vty 0 4 Tokyo(config-line)#login local Tokyo(config-line)#autocommand access-enable host timeout 10
The
autocommand used in this example is executed immediately when a user logs in via Telnet access.
NOTE
The
10 in the syntax above is the idle timeout of the access list and can be overridden by the timeout in the dynamic access list.
You can define an extended access list that is applied when any user logs in to the router and the
access-enable command is issued. The maximum absolute time for this hole in the filter is set to 15 minutes. After 15 minutes, the hole closes whether or not anyone is using it. The name
dyntest is needed but is not significant.
Tokyo(config)#access-list 101 dynamic dyntest timeout 15 permit ip any any
After that, define the access list needed to block everything except the ability to use Telnet to access the router. Users must telnet into this router to authenticate themselves as a valid users. Therefore, the following line is needed for users to be able to telnet into this router:
Tokyo(config)#access-list 101 permit tcp any host 142.2.65.6 eq telnet
Now you only have to apply the access list to the interface on which users are coming.
Tokyo(config)#interface FastEthernet0/0 Tokyo(config-if)#ip access-group 101 in
When using the
show access-lists command, the access list looks like this before any user has used Telnet to reach the router:[View full width]
Tokyo#
sh access-lists
Extended IP access list 101
Dynamic dyntest permit ip any any
permit tcp any host 142.2.65.6 eq telnet
Tokyo#
If users now access the router via Telnet, they must provide their usernames and passwords
telnet 142.2.65.6 Trying 142.2.65.6 ... Open User Access Verification Username:
user Password: [Connection to 142.2.65.6 closed by foreign host] Brussels#
If you now take a look at the access list again, it looks like the following code:
Tokyo#sh access-list Extended IP access list 101 Dynamic dyntest permit ip any any
permit ip host 142.2.65.5 any (4 matches) (time left 586) permit tcp any host 142.2.65.6 eq telnet (40 matches) Tokyo#
A hole has been created in the access list. The user should now be able to have complete IP access to any destination IP address from the source address (in the example, 142.2.65.5).
In a time-based access list, the hole is created for a certain amount of time. The following commands are needed in order to configure a time-based access list:
Brussels(config)#int ethernet0/0 Brussels(config-if)#
ip access-group time in Brussels(config-if)#
exit Brussels(config)#
ip access-list extended time Brussels(config-ext-nacl)#
permit tcp any any eq www time-range webaccess Brussels(config-ext-nacl)#
exit Brussels(config)#
time-range webaccess Brussels(config-time-range)#
periodic weekdays 8:00 to 18:00 Brussels(config-time-range)#
end Brussels#
This example allows users coming in on Ethernet 0/0 to have web access from 8:00 to 18:00 during all weekdays. Instead of weekdays, you can use several other keywords, such as the following:
Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday
With reflexive access lists, you have the ability to filter network traffic at a router, based on IP upper-layer protocol session information. Reflexive access lists can be defined by extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named access lists. Reflexive access lists have significant differences from other types of access lists. They contain only temporary entries. These entries are automatically created when a new IP session begins and are removed when the session ends. Reflexive access lists are not applied directly to the interface, but are nested within an extended named IP access list that is applied to that interface. The syntax to define a reflexive access list is as follows:
ip access-list extendedname permit protocol any any reflect reflection-
name [timeout seconds]
Define the reflexive access list using the
permit entry and the
reflect option. Then you can apply the extended access list to an interface. After you define a reflexive access list in one IP extended access list, you must nest the reflexive access list within a different extended named IP access list with the
evaluate command. Example 8-9 should make that procedure clear.
interface Serial0/0 ip access-group incoming in ip access-group outgoing out ! ip access-list extended outgoing permit tcp any any reflect tcptraffic ! ip access-list extended incoming permit eigrp any any deny icmp any any evaluate tcptraffic
With this configuration, before any TCP session has been initiated, the
show access-lists displays the following:
Tokyo#show access-lists Extended IP access list incoming permit eigrp any any deny icmp any any (26 matches) evaluate tcptraffic Extended IP access list outgoing permit tcp any any reflect tcptraffic Reflexive IP access list tcptraffic
Notice that the reflexive access does not have anything showing up in this output. Before any TCP sessions have been initiated, no traffic has triggered the reflexive access list, and the list is empty. After a Telnet connection is initiated, the
show access-lists look like this:
Tokyo#show access-lists Extended IP access list incoming permit eigrp any any deny icmp any any (26 matches) evaluate tcptraffic permit ospf any any Extended IP access list outgoing permit tcp any any reflect tcptraffic Reflexive IP access list tcptraffic permit tcp host 142.2.65.6 eq 11001 host 142.2.65.5 eq telnet (25 matches) (time left 289)
Now a temporary entry is generated that stays there for another 289 seconds.
![[View full size image]](/image/library/english/13756_08fig02_alt.gif;380136){kind=link}