router config - acl's made my brain go to plaid

hoboscratch

I've gotten a lot of useful info lurking around here using the search but I havent found what I am looking for regarding acl's. Using the Odom book and Boson. Seems to be a good book, access-lists are giving me kind of a hard time though and the Boson deal doesnt give nearly enough labs to let it sink in. They are all way too simplified it seems and I'm sure the test will be using something other than class C addresses with simple masks.

So as I understand it, for the source, unless you are using "host" which specifies a particular source, you can either have "any", or you must have a source and source-wildcard. The wildcards are definitely giving me some trouble.

Lets say that you have a subnet and mask 172.26.129.224 255.255.255.224 on R1's Ethernet0. The R1 E0 is 172.26.129.254 with 3 hosts on the subnet. Lets say you want to block inbound tcp from all 3 hosts. Access-group 110 has been created already.

I get this part:
access-list 110 deny tcp 172.26.129.0
but do i base the wildcard simply on the network number? meaning that if I say the wildcard is 0.0.0.255 thats based on 172.26.129.0? or would the wildcard be 0.0.0.32 since that is the inverse of the subnet mask? In this particular example, would it make a difference which of those two source-wildcards I used?

or am I completely bass-ackward and the wildcard is based solely on the subnet mask?

Paul Boz

The wild cards are used to express which addresses you want to affect with the access list.

Here's an example. I just whipped up a lab in Boson to hopefully help you out.



Lets say you want to prevent the finance LAN (192.168.20.1/28 from being able to FTP to the accounting LAN (192.168.20.16/28.) The best option where (and only real option for that matter) is an extended access list.

First of all, you have to be in global configuration mode:

config#

Then you have to type access-list [number between 100 and 199]

config#access-list 110 ?

Then type [permit/deny] depending on how you want to regulate traffic. In this case, we want to prevent FTP from finance to accounting, so lets use [deny]

config#access-list 110 deny ?

Now you need to specify the protocol field. FTP uses TCP, so lets pick that.

config#access-list 110 deny tcp ?

This is the tricky part. You want to prevent anyone on the finance lan from FTP'ing to accounting, so you have to use wildcards. In our example, the best way to do this is by typing:

config#access-list 110 deny tcp 192.168.20.1 0.0.0.15 ?

This basically says "the source address is the entire 192.168.20.1 /28 subnet. The wildcard mask basically says "forget about the first three octets, just look at these 15 host addresses when you're filtering."

From here, you have to specify the destination address or range. Again, you're trying to prevent one network from accessing a network resource on another network, so you need to use a wildcard mask just like last time.

config#access-list 110 deny tcp 192.168.20.1 0.0.0.15 192.168.20.16 0.0.0.15 ?

At this point you just need to specify the packets. We know we want to filter on port 21 for FTP, so we type "eq" to signify that we only want to match packets on a given port number. You do this by typing the following:

config#access-list 110 deny tcp 192.168.20.1 0.0.0.15 192.168.20.16 0.0.0.15 eq ?

And now, for the last step, simply specify the protocol name or port number. For the sake of consistency I always use the port number. You complete the first line of the list as follows:

config#access-list 110 deny tcp 192.168.20.1 0.0.0.15 192.168.20.16 0.0.0.15 eq 21

Now to complete the access list, you have to do a "permit any" statement so that the finance lan won't be completely shut off from the network. Do this by typing the following:

config#access-list 110 permit ip any any

What this does is adds a new line to your existing access list and tells the router to permit any ip traffic from any ip address to any ip address. This is to offset the implicit "deny all" at the end of all access lists.

When you're finished, your access list should look like the following:

config#access-list 110 deny tcp 192.168.20.1 0.0.0.15 192.168.20.16 0.0.0.15 eq 21
config#access-list 110 permit ip any any

Now you just need to apply it to your interface. In most cases, you want to stick an extended access-list as close to the source as possible since that's what's filtered. This prevents unneeded network traffic from being generated. In our case, we will apply this access list to R1's ethernet interface attached to the Finance LAN. I forgot to label it, so lets assume it's Fa0/0.

Config#interface fa0/0
config-if#access-group 110 in

This will tell R1 to drop any FTP packets originating from the Finance lan coming inbound on the Fa0/0 interface to the accounting lan before they can traverse the network.

I hope I answered your question! If you have any more questions feel free to ask.

hoboscratch

Hey, thanks for the detailed response. I dont know why this is so tough to wrap my head around, I think I'm just making it more difficult than it actually is. So essentially, if using wildcards the goal is to prevent a specific subnet from accessing something, or from preventing a host from accessing a certain subnet. Either way they are set up the same.

So in your example, the wildcard will check everything except the last 4 bits and if it matches it will discard it.

Thanks again for your help.

I'm still a little confused though, and I may be overthinking this or something. In your example, why couldnt you just deny any out of that subnet for port 21 as long as the destination was correct?

Paul Boz

I'm not following you. Basically the access-list that I created does exactly what you're saying. When fa0/0 receives an FTP packet from the finance LAN it simply drops the packet because the access list says to deny FTP from the finance LAN, and since it's applied inbound on fa0/0, it's simply dropped before it even traverses the network. The "allow ip any any" command lets all non FTP traffic through just fine.

hoboscratch

hmm, well i've been messing around with it in boson and it looks like there are quite a few different ways you can deny traffic via access lists. I'm sure it would be in my best interests to do it like you showed up above though, and narrow it down to what you specifically need to deny, instead of creating a broad statement.

Thanks again for the help man!

edit: what I was asking, and I know what you did was correct but I guess I was just trying to figure out what would happen if you created an acl such as: access-list 110 deny tcp any 192.168.20.16 0.0.0.15 eq 21

that would block all tcp traffic out of finance headed to accounting on port 21, but i'm sure that it is not the correct way to do it

Paul Boz

Basically you COULD do that, but if you wanted to only block a range of hosts on that subnet you'd need to use masks. In a professional environment I always use masks because the goal of an extended access list is to be as specific as possible. I've been in situations where access lists where miss-coded. The time it takes to specify a mask versus typing "any" is negligible to me. Definitely know that the "any" command would work, but make it a point to know the mask way as your primary method for creating lists.

hoboscratch

cool, thanks. sorry to be so confusing. i think i get it now though.

Paul Boz

No need to apologize! Do you have any other questions?

hoboscratch

I'm sure I will!

EdTheLad

Just to add to extra info, about the wildcard mask

You have
192.168.20.1 in binary is
11000000.10101000.00010100.00000001
0.0.0.15 is
00000000.00000000.00000000.00001111

The 1's in the wildcard mean match any, the 0's mean match exactly.So in the above the wildcard will match the address in the first 3 octets 192.168.1 exactly due to the 0's.The last octet has a mix of 1's and 0's, the first 4 bits must match exactly and the last 4 bits of the ip address can be anything.
The last 4 bits can be anything which means
0000 = 0
0001 = 1
0010 = 2
0011 = 3
0100 = 4
0101 = 5
0110 = 6
0111 = 7
1000 = 8
1001 = 9
"
"
1111 = 15
So any ip address between 192.168.20.0 and 192.168.20.15 will be matched.You can also write the access-list like
config#access-list 110 deny tcp 192.168.20.7 0.0.0.15 192.168.20.20 0.0.0.15 eq 21
config#access-list 110 permit ip any any
You can see instead of using the first address in the block you can use any address within the block,they both mean the same thing, but best practices for ease of troubleshooting is to use the first address which means the access-list should look like

config#access-list 110 deny tcp 192.168.20.0 0.0.0.15 192.168.20.16 0.0.0.15 eq 21
config#access-list 110 permit ip any any

EdTheLad

hoboscratch wrote:

hmm, well i've been messing around with it in boson and it looks like there are quite a few different ways you can deny traffic via access lists. I'm sure it would be in my best interests to do it like you showed up above though, and narrow it down to what you specifically need to deny, instead of creating a broad statement.

You could do a mask like:
access-list 110 deny ip any 192.168.20.16 0.0.2.0
0.0.2.0 00000000.00000000.000000010.00000000
looking at the third octet you have 20
20 = 00010100
2 = 00000010

So this mask would deny the destination addresses 192.168.20.16 and 192.168.22.16

markzab

Wildcards can be a bit scary at first but it's a lot easier when you know the block size concept (Sybex book, page 489). As long as you have your block sizes down you'll be good to go. Example: Lets say you need to block a range of hosts on the Sales LAN from accessing the Finance LAN. The range of hosts are from 192.168.18.0 through 192.168.29.0. What would be the most logical block size? The answer to that would be 16. Then all you've got to remember is that the wildcard is always one less than the block size...15. Your wildcard would be 0.0.15.255. That it.

Your list would be [access-list 10 deny 192.168.16.0 0.0.15.255]

(The reason I didn't start my access list at 18.0--the beginning of the range we need to block--is because each block size must start at 0, or a multiple of the block size. A block size of 16 would allow us 0-15, 16-31, 32-47, etc.)

This command will deny any host from 192.168.16.0 all the way through 192.168.31.255.

I hope I didn't confuse you. Just remember that the mask is always one less than the block size and if you play with that concept a little you should be good to go.

Darthn3ss

you sure confused me. where did 15 and 16 come from again?

markzab

Crap. Ok, I'll use an easier range. Lets say your Sales LAN is on the 192.168.32.0 subnet. Your boss comes to you and tells you that he needs every host from the Sales LAN to be denied access to the Finance LAN. He then tells you that any host from 192.168.32.0 through 192.168.55.0 should be denied. Your next thought, or in the concept I'm talking about, would be to figure out the block size. Initially when you see 32.0 you think to yourself, ok, this might be a block of 16. But your boss told you he wanted the range from 32.0 through 55.0 blocked, and if you use a block size of 16 then you'll only block up to 48.0. Not enough.

So then the next higher block size would be 32, right? Well that one works because if you use a block size of 32 it will block the range from 32.0 up to 64.0. That would cover our 32.0 through 55.0 range. Follow me so far?

So, now that you have figured out what your block size will be you now already know what the wildcard will be. The wildcard is always 1 less than the block size, so your wildcard in this case will be 31. Your wildcard mask will be 0.0.31.255.

Access-list 10 deny 192.168.32.0 0.0.31.255







Something else you might notice (overlap the 2)...

192.168.32.0
0.0.31.255 +

---

192.168.63.255

You blocked with that list everything in the range of 192.168.32.0 through 192.168.63.255.

EdTheLad

markzab wrote:

(The reason I didn't start my access list at 18.0--the beginning of the range we need to block--is because each block size must start at 0, or a multiple of the block size. A block size of 16 would allow us 0-15, 16-31, 32-47, etc.)

Not true, as i mentioned you can start at any address within the block the ios will understand where the block begins, for ccna i recommend using the start of the block.Cisco also recommends using the start of the block to avoid obscure addresses.I'm just pointing out its not a requirement.

markzab

EdTheLad wrote:

markzab wrote:

(The reason I didn't start my access list at 18.0--the beginning of the range we need to block--is because each block size must start at 0, or a multiple of the block size. A block size of 16 would allow us 0-15, 16-31, 32-47, etc.)

Not true, as i mentioned you can start at any address within the block the ios will understand where the block begins, for ccna i recommend using the start of the block.Cisco also recommends using the start of the block to avoid obscure addresses.I'm just pointing out its not a requirement.

Yup. My bad. I kind of put 2 things together and tried to create a new fact.

Darthn3ss

why would you block all the way to the 64 network though if you didn't need to?

EdTheLad

I think you boss might get pissed when he cant access his mp3 server on 192.168.60.1, might be better to use:
access-list 10 deny 192.168.32.0 0.0.15.255
access-list 10 deny 192.168.48.0 0.0.7.255
access-list 10 permit any

markzab

EdTheLad wrote:

I think you boss might get pissed when he cant access his mp3 server on 192.168.60.1, might be better to use:
access-list 10 deny 192.168.32.0 0.0.15.255
access-list 10 deny 192.168.48.0 0.0.7.255
access-list 10 permit any

Ok, who the hell put my MP3 server in the Finance LAN?! Damnit Ed, where the hell are you? Get your butt down here!

I was really just trying to show the easy way my Sybex book taught me to figure out wildcard masks (the block - 1 method), but yes...creating 2 lists in this scenario would be more practical.

Paul Boz

I'd just avoid standard access lists at all costs anyway. The ease of setup isn't worth the wasted bandwidth.

MrfixitRight

Ok, who the hell put my MP3 server in the Finance LAN?! Damnit Ed, where the hell are you? Get your butt down here!

Oops! Sorry boss! Didn't realize your MP3 Server was on the Finance LAN.... my bad!




Good info! ACL's can get confusing, especially wild cards.

hoboscratch

Thanks for the replies. I've been working with diff acl's at work today in my free time and they are definitely making sense to me now.

markzab

VICTORY!

Darthn3ss

i guess i'm next. i'm having some real issues here. first one is placement. I have to have 1 extended ACL. it only needs to accomplish three things...

all hosts can only reach an IP @ HTTP
all hosts can not reach an server at all
and then i have to allow half of an ip range to access a range of IPs and the other half should not be able to reach them. i think part of my problem is placement of the ACL. Extended ACLs need to be closest to the source, right?

if anyone could help, i'd appreciate it. i re-read the chapter in my CCNA book and didn't find that it helped much.

EdTheLad

Darthn3ss wrote:

i guess i'm next. i'm having some real issues here. first one is placement. I have to have 1 extended ACL. it only needs to accomplish three things...

all hosts can only reach an IP @ HTTP
all hosts can not reach an server at all
and then i have to allow half of an ip range to access a range of IPs and the other half should not be able to reach them. i think part of my problem is placement of the ACL. Extended ACLs need to be closest to the source, right?

if anyone could help, i'd appreciate it. i re-read the chapter in my CCNA book and didn't find that it helped much.

Where you place the access-list is dependent on what exactly you want to do, its common sense really.With an extended access-list you can specify the source and destination address.Since you have the ability to filter the destination address this means the closer you put this to the source the better.If you put the extended access-list near the destination it means packets are transversing the network and getting dropped close to the destination.Allowing traffic to transverse your network only to get dropped at the far end is a waste of bandwidth,especially when the extended access-list gives you the possibility to exactly classify what traffic you want to filter.
With standard access-lists you can only filter on the source, if you place this access-list close to the source it will block everything, even traffic you want to pass, this is because you don' have the granularity that you would have had with an extended access-list.By placing a standard access-list near the destination you can block all traffic from that source to a specific subnet while still allowing traffic from that source to access other subnets in the network.

Darthn3ss

well it looks like i got the first 2 figured out fine.. i created a few loopback interfaces on my router and to simulate the severs or whatever and can't get through to them from a pc on the network.. so i guess that works.

the only thing thats looking like trouble is the third one, which will have a scary wild card mask.

Darthn3ss

it took 11 tries but i thin i got it all right... yay!! i shall sleep good tonight because my ACL worked!