2.2 Extended acl  

Sunday, March 29, 2009

2.2 Extended acl
----------------

Standard acl allow all or nothing

To do packet filtering at a finer level of granularity we need a way to extend the standard
acl to include things like protocol , port number , desitination ip

Understanding Tcp and Udp port numbers
--------------------------------------

> Understanding tcp and udp port numbers is fundamental for using extended acl .

> With tcp a connection is set up, with udp there is no connection set up

> ports are specified as 16 bit numbers

telnet - 23
http - 80
dns - 53

> A set of four values :

source ip address
source port
desitnation ip
destination port
uniquely identify client / server relationships and enable clients and servers to talk to
each other without confusion

> The port numbers below 1024 are called "well known ports " defined by IANA

> Services can live on non standard ports as long as both client and server processes agree
use those ports

ex:

policy set 101: http packets to host 192.168.35.1
policy set 101: ssl packets to host 192.168.35.1
no other packets

access-list 101 permit tcp 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0 eq 80
access-list 101 permit tcp 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0 eq 443
access-list 101 deny ip 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0

> Extended acl begin with "access-list" keyword , followed by a number between 100-199 which
is followed by permit/deny . This process is same for standard acl

> Things get different after permit/deny statements , extended acls specifies the "ip"
protocol to which the list applies

> Next we have 2 address/mask paris [which was single in standard acl] . The first pair
define the source and next pair define the desitnation

> The access-list ends with another protocol specifier , the port number ,"eq 80" allow
packets with destination port 80

> To use access-list once the policy set is defined , we must apply against a router
interface .

int fa0/0
ip access-group 101 in/out (depends on the condition and where you are applying)


2.2.1 Some general properties of access-lists
---------------------------------------------

> extended acl lists entry changes / matches against two ip addresses as opposed to one ip
address for standard acl

> Mask of 0.0.0.0 are not optional for extended acl . router assumes 0.0.0.0 if standard acl
leaves off a mask

> Both have a implicit deny

> Ip address , wildcard mask matching and the implicit deny are common to all cisco
access-list structures and are important concepts in understanding acl

2.2.2 Matching ip protocols
---------------------------

other ip protocols can be specified with extended acl

access-list 102 permit 47 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0

> ip protocol 47 is GRE (generic routing encapsulation) protocol. This protocol is used for
non-ip protocols such as novell ipx , apple talk through ip and by pptp , vpn protocol


2.2.3 More on matching protocols part
-------------------------------------

We have created acl entries that have matched on destination ort of an udp / tcp packet. we
can also match on the source port . This is useful to avoid spoofed packets from entering


ex : ntp uses both source and destination udp port 123 . so writing an acl would look
like this

access-list 102 permit udp 0.0.0.0 255.255.255.255 eq 123 192.168.35.1 0.0.0.0 eq 123

>* The source port is placed after source ip address / mask

> 'eq' key word forces matching packets to have port equal to the specified value

> 'gt' a matching packet must have port value greater than specified value

access-list 103 permit tcp 0.0.0.0 255.255.255.255 gt 1023 192.168.35.1 0.0.0.0 eq 20

for dns server :
----------------

access-list 102 permit udp 0.0.0.0 255.255.255.255 gt 1023 192.168.35.1 0.0.0.0 eq 53


2.2.4 Text substitues for commonly used ports and tasks
-------------------------------------------------------

Certain configs are so common that cisco developed text substitutes instead of port numbers
or address mask pairs

The ip address mask pair

0.0.0.0 255.255.255.255 -> any

0.0.0.0 -> host

80 -> http
23 -> telnet
123 -> ntp
47 -> gre ( ip protocol)

2.2.5 generic format of extended access-list
--------------------------------------------

access-list [listno] [p/d] [port no] [dest] [protocol] [logging]

the logging key word if present , it turns on a log of all packet information everytime the
access-list entry is applied

Design by Blogger Buster | Distributed by Blogging Tips