Access Control List

  • Purpose of ACLs: ACLs filter traffic based on packet header information, providing security, traffic control, and network performance improvements.

  • Wildcard Masks: Used in ACLs to specify which bits in an IP address to match or ignore.

  • Guidelines for ACL Creation: Best practices include basing ACLs on security policies, documenting them, and testing before implementation.

  • Types of IPv4 ACLs: Standard ACLs filter based on source IP addresses, while extended ACLs filter based on source/destination IP addresses, protocols, and ports.

Key Concepts:

  1. ACL Operation:

    • ACLs are applied to router interfaces to filter inbound or outbound traffic.

    • Inbound ACLs filter packets before routing, while outbound ACLs filter after routing.

    • ACLs use a sequential list of permit/deny statements (ACEs), with an implicit deny at the end.

  2. Wildcard Masks:

    • Similar to subnet masks but use reverse logic (0 for match, 1 for ignore).

    • Keywords like host (0.0.0.0) and any (255.255.255.255) simplify ACL configuration.

  3. ACL Types:

    • Standard ACLs: Filter based on source IP address (numbered 1-99, 1300-1999).

    • Extended ACLs: Filter based on source/destination IP, protocol, and ports (numbered 100-199, 2000-2699).

    • Named ACLs: Preferred for clarity and reusability.

  4. ACL Placement:

    • Extended ACLs: Should be placed close to the source of traffic to filter unwanted traffic early.

    • Standard ACLs: Should be placed close to the destination to avoid over-filtering.

Best Practices:

  • Plan ACLs based on organizational security policies.

  • Use text editors to create and save ACLs for reuse.

  • Document ACLs using the remark command.

  • Test ACLs in a development environment before deploying them in production.

Examples:

  • Standard ACL Placement: Placed near the destination to filter traffic from specific sources.

  • Extended ACL Placement: Placed near the source to filter specific traffic types (e.g., FTP, Telnet) before they traverse the network.

Standard Access List

PNET LAB1
Download LAB1
Security Policy

1-deny access from  (192.168.11.0/24) network to web server and permit  all other traffic 
2-deny access from (192.168.10.0/24) network to (192.168.30.0/24) network  and permit all other traffic
3- permit remote login via telnet  from PC1 (192.168.10.10) Only to R2 and deny all other hosts from accessing R2 Via Telnet

solution
R2
access-list 1 deny 192.168.11.0   0.0.0.255
access-list 1 permit any 
interface g0/0
ip access-group 1 out 

R3
access-list 2 deny 192.168.10.0   0.0.0.255
access-list 2 permit any 
interface g0/0
ip access-group 2 out 

R2
access-list 3 permit 192.168.10.10 0.0.0.0

line vty 0 15
login
password cisco
access-class 3 in

Download LAB2
Security Policy

1-permit access from PC1 (192.168.20.4) to file server and deny all other traffic 
2-permit access from PC2 (192.168.10.3) to web server and deny all other traffic
note use Name Access list “file_server_restrictions”
and “web_server_restrictions” Access policy

solution

ip access-list standard file_server_restrictions
permit 192.168.20.4 0.0.0.0
deny any

interface f0/1
ip access-group file_server_restrictions out
—————————————————————-
ip access-list standard web_server_restrictions
permit 192.168.10.3 0.0.0.0
deny any

interface f0/0
ip access-group web_server_restrictions out

Extended Access list

Download LAB3

Security Policy

172.22.34.64/27 network can Access the server via only FTP
172.22.34.96/28 network can Access the server via only http
PC1 Network and PC2 network can ping the server , but cannot ping each other

solution:

policy 1 :
access-list 100 permit tcp 172.22.34.64 0.0.0.31  host 172.22.34.62  eq ftp
access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62

interface g0/0
ip access-group 100 in 

————————————————————————————

plicy 2 : 
access-list 101 permit tcp 172.22.34.96  0.0.0.15 host 172.22.34.62 eq www
access-list 101 permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62

interface g0/1
ip access-group 101 in 

verify | Test

FTP from PC1 To 172.22.34.62 :  >ftp 172.22.34.62   permitted
Ping 172.22.34.62 from PC1   permitted
open browser from PC1 type 172.22.34.62    denied
open browser from PC2 type 172.22.34.62  permitted
Ping 172.22.34.62 to server from PC2   permitted
FTP from PC2 To 172.22.34.62 :  >ftp 172.22.34.62   Denied
from PC1 To PC2  PC1 ping 172.22.34.98    Denied

Download LAB4

Security Policy

Configure ACL named “LimitedAccess” To accomplish the Following Policy
block HTTP and HTTPS access from PC1 To server1 and Server2
block FTP access from PC2 to server1 and server2
block ICMP Access from PC3 to server1 and server2
permit all other traffic

solution:

ip access-list extended LimitedAccess
deny tcp host 172.31.1.101 host 64.101.255.254 eq 80
deny tcp host 172.31.1.101 host 64.101.255.254 eq 443
deny tcp host 172.31.1.101 host 64.103.255.254 eq 80
deny tcp host 172.31.1.101 host 64.103.255.254 eq 443
deny tcp host 172.31.1.102 host 64.101.255.254 eq 21
deny tcp host 172.31.1.102 host 64.103.255.254 eq 21
deny icmp host 172.31.1.103 host 64.101.255.254
deny icmp host 172.31.1.103 host 64.103.255.254
permit ip any any

interface g0/0
ip access-group LimitedAccess in

Testing 

Task1 :

open PC1 browser and type 64.101.255.254   or 64.103.255.254 denied
ping from PC1 To ping 64.101.255.254    or ping 64.103.255.254   permitted
ftp 64.101.255.254    or ftp 64.103.255.254  permitted

Task2 :

from PC2 try to access ftp 64.101.255.254 denied
open PC2 browser and type 64.101.255.254   or 64.103.255.254 permitted
ping from PC1 To ping 64.101.255.254    or ping 64.103.255.254  permitted

Task3 :

ping from PC3 To ping 64.101.255.254    or ping 64.103.255.254   Denied
from PC3 try to access ftp 64.101.255.254 permitted
open PC3 browser and type 64.101.255.254   or 64.103.255.254 permitted