Quick ACL Question

stevi3

Hi there,

Sorry to be such a burden, but i was given a small task to come up with an Extend ACL (just started studying it) that will block all TCP from one source PC to 2 Destination PC's. I did come up with this, but I dunno if its correct, so i was wondering if someone could tell me if im going along the right lines.

access-list 101 deny tcp host 204.204.10.18 host 204.204.10.51
access-list 101 deny tcp host 204.204.10.18 host 204.204.10.83
access-list 101 permit ip any any

Thanks

Pash

stevi3 wrote:

Hi there,

Sorry to be such a burden, but i was given a small task to come up with an Extend ACL (just started studying it) that will block all TCP from one source PC to 2 Destination PC's. I did come up with this, but I dunno if its correct, so i was wondering if someone could tell me if im going along the right lines.

access-list 101 deny tcp host 204.204.10.18 host 204.204.10.51
access-list 101 deny tcp host 204.204.10.18 host 204.204.10.83
access-list 101 permit ip any any

Thanks

You are indeed along the right lines. Keep practicing and try some more complexed statements and see how you get on.

stevi3

Thanks Although when i tried sticking on the interace of a router, closer to the source. It would still let ping through, even when i chose the echo port(7).

Here is the task i was given to give people an idea of what i had to do:

http://img137.imageshack.us/img137/7686/taskbe6.jpg

Which interface would be the best to put the ACL on.. Maybe Birmingham serial 2 IN?

At one point I changed deny tcp to deny IP, which managed to block ping, but im guessing it blocked everything else too?

networker050184

For ping deny icmp.

stevi3

networker050184 wrote:

For ping deny icmp.

On the simulator we are using for studying, the PC's on there can only ping eachother, so was using that to test the deny TCP. I guess it dont work like that hehe. Aslong as I know that command would do as the question asked, thats fine with me. Would the Serial 2(Wan connection) interface IN on the Birmingham router be an ideal interface to stick the access list on?

networker050184

According to Cisco place standard access lists close to the destination and place extended access lists close to the source. You want the packets dropped as soon as possible rather than them traversing the whole network just to be dropped at the destination. Standard access lists can block traffic that is not intended to be blocked which is why it is reccomended to place them close to the destination. In reality what I'd go with whatever solution produces the desired outcome.

stevi3

networker050184 wrote:

According to Cisco place standard access lists destination to the source and place extended access lists close to the source. You want the packets dropped as soon as possible rather them traversing the whole network just to be dropped at the destination. Standard access lists can block traffic that is not intended to be blocked which is why it is reccomended to place them close to the destination.

Ah yes, thanks. I get it now. Thanks! So if that Extended ACL works, then I would place them on the router closest to the source host, which i wanted to block.

sprkymrk

stevi3 wrote:

Thanks Although when i tried sticking on the interace of a router, closer to the source. It would still let ping through, even when i chose the echo port(7).

Remember, echo is an ICMP type, not a port. Although I thought echo was ICMP type 8, not 7. See:
http://www.iana.org/assignments/icmp-parameters

ICMP itself is protocol type 1, tcp is protocol type 6, ipsec is protocol type 50, etc. These are often confused with TCP and UDP port number assignments.

It's a common misconception. I forget myself often times, I am so ingrained to think of port numbers all the time it's easy to get mixed up.

dtlokee

sprkymrk wrote:

stevi3 wrote:

Thanks Although when i tried sticking on the interace of a router, closer to the source. It would still let ping through, even when i chose the echo port(7).

Remember, echo is an ICMP type, not a port. Although I thought echo was ICMP type 8, not 7. See:
http://www.iana.org/assignments/icmp-parameters

ICMP itself is protocol type 1, tcp is protocol type 6, ipsec is protocol type 50, etc. These are often confused with TCP and UDP port number assignments.

It's a common misconception. I forget myself often times, I am so ingrained to think of port numbers all the time it's easy to get mixed up.

I think he's referring to "udp echo" which is port 7.

This points out the difference between "protocol number" and "port number", protocol numbers refer to the logical connection between the network layer and the encapsultaed upper layer protocol. Port numbers refer to the connection between the transport layer and upper layer protocols. So a datagram could be using protocol 6 (tcp) and port 80 (http) at the same time. Blocking protocol 6 would cause the router to drop this traffic, but blocking tcp port 80 will accomplish the same goal.

Pash

Funny you should post that table mark, i had to block 13 and 14 on the ACL icmp types timestamp-request timestamp-reply today for a customer....it's part of that security audit that is still on-going

So a lot like this:-

access-list 110 deny icmp any any timestamp-request
access-list 110 deny icmp any any timestamp-reply
access-list 110 permit icmp any any

Remember Stevie access lists are always checked sequentially as well, so when planning them always think about your traffic, if that permit is above the denies, all icmp traffic will pass and my statements won't get put into practice.

Cheers,

stevi3

Pash wrote:

Funny you should post that table mark, i had to block 13 and 14 on the ACL icmp types timestamp-request timestamp-reply today for a customer....it's part of that security audit that is still on-going

So a lot like this:-

access-list 110 deny icmp any any timestamp-request
access-list 110 deny icmp any any timestamp-reply
access-list 110 permit icmp any any

Remember Stevie access lists are always checked sequentially as well, so when planning them always think about your traffic, if that permit is above the denies, all icmp traffic will pass and my statements won't get put into practice.

Cheers,

I know what you mean, ive had a few problems like that when i was first getting the hang of ACL's (putting the permit any first). Although im getting the hang of it and quite enjoying practising with the extended types. This forum also helps alot, so thanks alot for all the help.. im sure its the first of many when concerning me!