ACL config problem

I entered the ACL 101 shown and it's showing up as shown in the show run, why????

r1-host-end#config t
Enter configuration commands, one per line. End with CNTL/Z.
r1-host-end(config)#access-list 101 deny icmp 10.0.1.8 172.16.96.202 any

show run readout??????????????????
access-list 101 deny icmp 2.0.1.0 172.16.96.202 any
!
line con 0
line aux 0
line vty 0 4
!
!
!
end

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

aueddonline

oh and bit confused about the access-list command itself does it go

access-list 101 (permit|deny)(protocol)(port)(source address)(wildcard) (desination address)(wildcard) (desination port)

i.e

access-list 101 deny tcp eq telnet 10.0.0.1 10.0.2.1 eq telnet

or

access-list 101 deny tcp any 10.0.0.1 10.0.2.1 eq telnet

larkspur

When defining a extended access-list you will need to specify source and destination. When you define source you need to spefiy host, network, or any. In this case you did not specify host or any so it defaulted to network adn used 172.16.96.202 as the wildcard.

When you define network will you will have to add wilcards, which is the number of bits borrowed on the subnet masks minus one, unless defining the entire network 255.

access-list 101 deny icmp (source) 10.0.1.8 172.16.96.202 any

so as an example:

blocking icmp using wilcards

access-list 101 deny icmp 10.0.1.0 0.0.0.255 host 172.16.96.202

host
access-list 101 deny icmp host 10.0.1.8 host 172.16.96.202

any
access-list 101 deny icmp any host 172.16.96.202

make sense?

if not try this

create an acl and use the ? command when you get to this point

access-list 101 deny icmp ?

aueddonline

thanks larkspur that's really helpful I printed it out, gonna have a go at doing a few, might add to the post later

dtlokee

The IOS automatically put zeros in the check condition (the first number) anywhere there was a corresponding one in the wildcard mask and that is what is displayed in the show run output.

     10.0.1.8 = 0000 1010.0000 0000.0000 0001.0000 1000
172.16.96.202 = 1010 1100.0001 0000.0110 0000.1100 1010
               ---------------------------------------------
                0000 0010.0000 0000.0000 0001.0000 0000   = 2.0.1.0

Remember the "0" in the WC mask means match, and the "1" in the WC mask means ignore.

aueddonline

just one more thing say i wanted to specify a source and desination port or both as 23 for this example

access-list 101 deny tcp host 10.0.0.1 host 172.16.96.202

would it look like this

access-list 101 deny tcp host 10.0.0.1 eq 23 host 172.16.96.202 eq 23

??????????

aueddonline

nice one dtlokee, no wonder it wasn't working

dtlokee

aueddonline wrote:

just one more thing say i wanted to specify a source and desination port or both as 23 for this example

access-list 101 deny tcp host 10.0.0.1 host 172.16.96.202

would it look like this

access-list 101 deny tcp host 10.0.0.1 eq 23 host 172.16.96.202 eq 23

??????????

No it would not. Port 23 is the "server" port, that is the port in use on the telnet server side. The client port is a random number greater than 1023, so it is difficult to specify in a static access list. This is where a firewall (possibly the IOS firewall) usng stateful packet inspection would come in. SPI is able to analyze the packet headers and dynamically open only the necessary ports to secure the connection. In this case it would see the first outgoing TCP Syn packet with the client port and the server port and only open them for the duration of the conversation and then close them when a TCP rst or fin bit is seen.

aueddonline

dtlokee wrote:

aueddonline wrote:

just one more thing say i wanted to specify a source and desination port or both as 23 for this example

access-list 101 deny tcp host 10.0.0.1 host 172.16.96.202

would it look like this

access-list 101 deny tcp host 10.0.0.1 eq 23 host 172.16.96.202 eq 23

No it would not. Port 23 is the "server" port, that is the port in use on the telnet server side. The client port is a random number greater than 1023, so it is difficult to specify in a static access list.
??????????

so would it be

access-list 101 deny tcp host 10.0.0.1 gt 1023 host 172.16.96.202 eq 23

larkspur

here are a few examples, but if you play with them you will catch on. Also importnat to know about acl placement.

When you apply an acl to an interface you need to think about what direction you want, inbound or outbound. I normal think of direction first and then the acl defination....

Here is a named extended access-list that can be used
on a standard IOS Cisco router to act as a basic firewall.

Probably woudln't handle a DDoS attack

IPAD is where you put your inside IP address !

remark This is the access-list to be placed on the Outside LAN interface
remark The below set the rfc1918 private exclusions
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
remark Deny Testnet
deny ip 192.0.2.0 0.0.0.255 any log
remark Deny packets from localhost, broadcast, and multicast addresses
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Deny packets without an IP address
deny ip host 0.0.0.0 any log
remark Prevent Spoofing on Routers FA Interfaces
deny ip host IPAD any log
deny ip host IPAD any log
deny ip host IPAD any log
remark Permit specific ICMP for ping / traceroute response
permit icmp any IPAD 0.0.0.255 net-unreachable
permit icmp any IPAD0.0.0.255 echo-reply
permit icmp any IPAD 0.0.0.255 echo
permit icmp any IPAD 0.0.0.255 host-unreachable
permit icmp any IPAD 0.0.0.255 port-unreachable
permit icmp any IPAD 0.0.0.255 packet-too-big
permit icmp any IPAD 0.0.0.255 administratively-prohibited
permit icmp any IPAD 0.0.0.255 source-quench
permit icmp any IPAD 0.0.0.255 ttl-exceeded
remark Allow specific ports access to network
permit tcp any IPAD 0.0.0.255 eq www
permit tcp any IPAD 0.0.0.255 eq 443
permit tcp any IPAD 0.0.0.255 eq smtp
permit tcp any IPAD 0.0.0.255 eq pop3
permit tcp any IPAD 0.0.0.255 eq 143
permit tcp any IPAD 0.0.0.255 eq ftp-data
permit tcp any IPAD 0.0.0.255 eq ftp
permit tcp any IPAD 0.0.0.255 eq nntp
permit tcp any IPAD 0.0.0.255 eq 8081
permit tcp any IPAD 0.0.0.255 eq domain
permit udp any IPAD 0.0.0.255 eq domain
remark Allow RADIUS Proxy Access
permit udp any IPAD 0.0.0.255 eq 1645
permit udp any IPAD 0.0.0.255 eq 1646
permit tcp any IPAD 0.0.0.255 eq 1646
remark permit PCAnywhere
permit tcp any any eq 5631
permit tcp any any eq 5632
permit udp any any eq 5631
permit udp any any eq 5632
permit tcp any any eq 65301
permit tcp any any eq 22
permit udp any any eq 65301
permit udp any any eq 22
remark Permit Established connections
permit tcp any IPAD 0.0.0.255 established
remark Permit Internal DNS Out
permit udp any any eq domain
remark Deny and log anything that doesn't comply to these rules
permit udp any any
deny ip any any log