Every access list has an implicit deny all (that is, everything not mentioned in the access list) statement at the end of the list to ensure that attributes that are not expressly permitted will be denied. When put together without descriptions of each lines function, the completed access list will look like the following: access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255. 255.255 eq 123 access-list 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2049 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 6001 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 6002 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2001 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2002 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.2 0.0.0.0 eq 23 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 eq 21 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 eq 20 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.101 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.1.100 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.1.101 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 eq 53 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100 0.0.0.0 eq 53 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 eq 25 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100 0.0.0.0 eq 25 access-list 101 permit tcp 56.1.0.18 0.0.0.1 125.50.1.100 0.0.0.0 eq 119 access-list 101 permit tcp 182.12.18.32 0.0.0.0 125.50.1. 100 0.0.0.0 eq 119 access-list 101 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Applying Access Lists to InterfacesAfter this access list has been loaded onto the router and stored into nonvolatile random-access memory (NVRAM), assign it to the appropriate interface. In this case study, traffic coming from the outside world via the serial 0 interface of the firewall router is filtered (via access list 101) before it is placed on the subnet 125.50.13.0 (Ethernet 0). Therefore, the access-group command, which assigns an access list to filter incoming connections, must be assigned to Ethernet 0 as shown here: interface ethernet 0 ip access-group 101 in To control outgoing access to the Internet from the network, define an access list and apply it to the outgoing packets on serial 0 interface of the firewall router. To do this, returning packets from hosts using Telnet or FTP must be allowed to access the firewall subnetwork 125.50.13.0. Configuring the Firewall Communication ServerIn this case study, the firewall communication server has a single inbound modem on line 2: interface Ethernet0 ip address 125.50.13.2 255.255.255.0 ! access-list 10 deny 125.50.14.0 0.0.0.255 access-list 10 permit 125.50.0.0 0.0.255.255 ! access-list 11 deny 125.50.13.2 0.0.0.0 access-list 11 permit 125.50.0.0 0.0.255.255 ! line 2 login tacacs location FireWallCS#2 ! access-class 10 in access-class 11 out ! modem answer-timeout 60 modem InOut telnet transparent terminal-type dialup flowcontrol hardware stopbits 1 rxspeed 38400 txspeed 38400 ! tacacs-server host 125.50.1.100 tacacs-server host 125.50.1.101 tacacs-server extended ! line vty 0 15 login tacacs Defining the Communication Servers Access Lists In this example, the network number is used to permit or deny access; therefore, standard IP access list numbers (range 1 through 99) are used. For incoming connections to modem lines, only packets from hosts on the internal Class B network and packets from those hosts on the firewall subnetwork are permitted: access-list 10 deny 125.50.14.0 0.0.0.255 access-list 10 permit 125.50.0.0 0.0.255.255 Outgoing connections are allowed only to internal network hosts and to the communication server. This prevents a modem line in the outside world from calling out on a second modem line: access-list 11 deny 125.50.13.2 0.0.0.0 access-list 11 permit 125.50.0.0 0.0.255.255 Applying Access Lists to Lines Apply an access list to an asynchronous line with the access-class command. In this case study, the restrictions from access list 10 are applied to incoming connections on line 2. The restrictions from access list 11 are applied to outgoing connections on line 2: access-class 10 in access-class 11 out Spoofing & In Bound Access ListsIn Software Release 9.21, Cisco introduced the ability to assign input access lists to an interface. This enables a network administrator to filter packets before they enter the router instead of as they leave the router. In most cases, input access lists and output access lists accomplish the same functionality. However, input access lists are considered more intuitive by some people and can be used to protect some types of IP address from spoofing, whereas output access lists will not provide sufficient security. Figure 10-4 illustrates a cyber thief host that is spoofing, or illegally claiming to be an address that it is not. Someone in the outside world is claiming to originate traffic from network 125.50.13.0. Although the IP address is spoofed, the router interface to the outside world assumes that the packet is coming from 125.50.13.0. If the input access list on the router allows traffic coming from 125.50.13.0, it will accept the illegal packet.
|