ACL config problem
aueddonline
Member Posts: 611 ■■□□□□□□□□
in CCNA & CCENT
I entered the ACL 101 shown and it's showing up as shown in the show run, why????
r1-host-end#config t
Enter configuration commands, one per line. End with CNTL/Z.
r1-host-end(config)#access-list 101 deny icmp 10.0.1.8 172.16.96.202 any
show run readout??????????????????
access-list 101 deny icmp 2.0.1.0 172.16.96.202 any
!
line con 0
line aux 0
line vty 0 4
!
!
!
end
r1-host-end#config t
Enter configuration commands, one per line. End with CNTL/Z.
r1-host-end(config)#access-list 101 deny icmp 10.0.1.8 172.16.96.202 any
show run readout??????????????????
access-list 101 deny icmp 2.0.1.0 172.16.96.202 any
!
line con 0
line aux 0
line vty 0 4
!
!
!
end
What's another word for Thesaurus?
Comments
-
aueddonline
Member Posts: 611 ■■□□□□□□□□
oh and bit confused about the access-list command itself does it go
access-list 101 (permit|deny)(protocol)(port)(source address)(wildcard) (desination address)(wildcard) (desination port)
i.e
access-list 101 deny tcp eq telnet 10.0.0.1 10.0.2.1 eq telnet
or
access-list 101 deny tcp any 10.0.0.1 10.0.2.1 eq telnetWhat's another word for Thesaurus? -
larkspur
Member Posts: 235
When defining a extended access-list you will need to specify source and destination. When you define source you need to spefiy host, network, or any. In this case you did not specify host or any so it defaulted to network adn used 172.16.96.202 as the wildcard.
When you define network will you will have to add wilcards, which is the number of bits borrowed on the subnet masks minus one, unless defining the entire network 255.
access-list 101 deny icmp (source) 10.0.1.8 172.16.96.202 any
so as an example:
blocking icmp using wilcards
access-list 101 deny icmp 10.0.1.0 0.0.0.255 host 172.16.96.202
host
access-list 101 deny icmp host 10.0.1.8 host 172.16.96.202
any
access-list 101 deny icmp any host 172.16.96.202
make sense?
if not try this
create an acl and use the ? command when you get to this point
access-list 101 deny icmp ?just trying to keep it all in perspective! -
aueddonline
Member Posts: 611 ■■□□□□□□□□
thanks larkspur that's really helpful I printed it out, gonna have a go at doing a few, might add to the post laterWhat's another word for Thesaurus?
-
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
The IOS automatically put zeros in the check condition (the first number) anywhere there was a corresponding one in the wildcard mask and that is what is displayed in the show run output.10.0.1.8 = 0000 1010.0000 0000.0000 0001.0000 1000 172.16.96.202 = 1010 1100.0001 0000.0110 0000.1100 1010 --------------------------------------------- 0000 0010.0000 0000.0000 0001.0000 0000 = 2.0.1.0
Remember the "0" in the WC mask means match, and the "1" in the WC mask means ignore.The only easy day was yesterday! -
aueddonline
Member Posts: 611 ■■□□□□□□□□
just one more thing say i wanted to specify a source and desination port or both as 23 for this example
access-list 101 deny tcp host 10.0.0.1 host 172.16.96.202
would it look like this
access-list 101 deny tcp host 10.0.0.1 eq 23 host 172.16.96.202 eq 23
??????????What's another word for Thesaurus? -
aueddonline
Member Posts: 611 ■■□□□□□□□□
nice one dtlokee, no wonder it wasn't workingWhat's another word for Thesaurus?
-
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
aueddonline wrote:just one more thing say i wanted to specify a source and desination port or both as 23 for this example
access-list 101 deny tcp host 10.0.0.1 host 172.16.96.202
would it look like this
access-list 101 deny tcp host 10.0.0.1 eq 23 host 172.16.96.202 eq 23
??????????
No it would not. Port 23 is the "server" port, that is the port in use on the telnet server side. The client port is a random number greater than 1023, so it is difficult to specify in a static access list. This is where a firewall (possibly the IOS firewall) usng stateful packet inspection would come in. SPI is able to analyze the packet headers and dynamically open only the necessary ports to secure the connection. In this case it would see the first outgoing TCP Syn packet with the client port and the server port and only open them for the duration of the conversation and then close them when a TCP rst or fin bit is seen.The only easy day was yesterday! -
aueddonline
Member Posts: 611 ■■□□□□□□□□
dtlokee wrote:aueddonline wrote:just one more thing say i wanted to specify a source and desination port or both as 23 for this example
access-list 101 deny tcp host 10.0.0.1 host 172.16.96.202
would it look like this
access-list 101 deny tcp host 10.0.0.1 eq 23 host 172.16.96.202 eq 23
No it would not. Port 23 is the "server" port, that is the port in use on the telnet server side. The client port is a random number greater than 1023, so it is difficult to specify in a static access list.
??????????
so would it be
access-list 101 deny tcp host 10.0.0.1 gt 1023 host 172.16.96.202 eq 23What's another word for Thesaurus? -
larkspur
Member Posts: 235
here are a few examples, but if you play with them you will catch on. Also importnat to know about acl placement.
When you apply an acl to an interface you need to think about what direction you want, inbound or outbound. I normal think of direction first and then the acl defination....
Here is a named extended access-list that can be used
on a standard IOS Cisco router to act as a basic firewall.
Probably woudln't handle a DDoS attack
IPAD is where you put your inside IP address !
remark This is the access-list to be placed on the Outside LAN interface
remark The below set the rfc1918 private exclusions
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
remark Deny Testnet
deny ip 192.0.2.0 0.0.0.255 any log
remark Deny packets from localhost, broadcast, and multicast addresses
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Deny packets without an IP address
deny ip host 0.0.0.0 any log
remark Prevent Spoofing on Routers FA Interfaces
deny ip host IPAD any log
deny ip host IPAD any log
deny ip host IPAD any log
remark Permit specific ICMP for ping / traceroute response
permit icmp any IPAD 0.0.0.255 net-unreachable
permit icmp any IPAD0.0.0.255 echo-reply
permit icmp any IPAD 0.0.0.255 echo
permit icmp any IPAD 0.0.0.255 host-unreachable
permit icmp any IPAD 0.0.0.255 port-unreachable
permit icmp any IPAD 0.0.0.255 packet-too-big
permit icmp any IPAD 0.0.0.255 administratively-prohibited
permit icmp any IPAD 0.0.0.255 source-quench
permit icmp any IPAD 0.0.0.255 ttl-exceeded
remark Allow specific ports access to network
permit tcp any IPAD 0.0.0.255 eq www
permit tcp any IPAD 0.0.0.255 eq 443
permit tcp any IPAD 0.0.0.255 eq smtp
permit tcp any IPAD 0.0.0.255 eq pop3
permit tcp any IPAD 0.0.0.255 eq 143
permit tcp any IPAD 0.0.0.255 eq ftp-data
permit tcp any IPAD 0.0.0.255 eq ftp
permit tcp any IPAD 0.0.0.255 eq nntp
permit tcp any IPAD 0.0.0.255 eq 8081
permit tcp any IPAD 0.0.0.255 eq domain
permit udp any IPAD 0.0.0.255 eq domain
remark Allow RADIUS Proxy Access
permit udp any IPAD 0.0.0.255 eq 1645
permit udp any IPAD 0.0.0.255 eq 1646
permit tcp any IPAD 0.0.0.255 eq 1646
remark permit PCAnywhere
permit tcp any any eq 5631
permit tcp any any eq 5632
permit udp any any eq 5631
permit udp any any eq 5632
permit tcp any any eq 65301
permit tcp any any eq 22
permit udp any any eq 65301
permit udp any any eq 22
remark Permit Established connections
permit tcp any IPAD 0.0.0.255 established
remark Permit Internal DNS Out
permit udp any any eq domain
remark Deny and log anything that doesn't comply to these rules
permit udp any any
deny ip any any logjust trying to keep it all in perspective!
