Configuring Access Lists and Network Security

Once you have configured the router interface should be taken to determine whether any of these interfaces to connect to "safe" network. These networks can be a network with others or maybe the rest of the Internet connection in your enterprise workstations. They may also have a network of houses, providing specific services to the Internet community, but the server you want to protect as much as possible. WWW server is a good example of such a server for an SMTP gateway. The general public needs so that you can view your Web pages and send your message, but they do not need so that interractively can connect to these servers. Access control for other purposes may be from other parts of your company to protect parts of your company intranet. For example, if you have a research and Development Department, which is different is that you will give your sales staff to access details of the top secret project. Likewise, you don't want to do some clever accounting server to modify your research and Development Department.

The traditional way to protect this type of server is to use the access list. Access lists to filter Internet traffic and determine whether data has been reported to allow incoming or outgoing network. Ideas on how to access lists should be designed, where they should be placed, and how the physical structure should be allowed to properly filter without overloading the network router of the network link and they greatly varry. Some companies in the business, "the great firewall" into the product and other people will be implemented in all the minimal access control. Still others will invest in the hardware necessary for service access list on two levels (blocking access to itself and the interrior routers and, secondly, the interrior router blocked access to a router can only be accessed from inside of its own or even only from the console and provides the primary access to the list control. This router is typically nothing else except the filter the datagram and sends them to its default router, or localhost).

Which method you choose depends on your level of security required, your budget and needs to be protected for a specific application. However, led to a variety of program decisions are beyond the scope of this document. This lesson is intended to focus on general access list design and implementation.

Cisco has created two different types of access router in the list. First, the standard access list, only the source address on the filter. If you are using access numbers list (IOS 11.1 and earlier versions do not support named access lists), than the list numbered from 1 to 99. The second type of access list, extended access lists, is from 100 to 199 numberes, based on source address, destination address, Protocol, Protocol, port number, and a myriad of other features do not necessarily apply to filtering of IP communications in General.

Once you have created an access list, it must be tied to a single interface. Interface configuration view "audience" filter list. Inbound or outbound interface can access group. For example:

  Interface Serial0
  ip access-group 101 in
  ip access-group 6 out

Specify this set of commands entered must be handled by extended access list number 101 serial 0 traffic and outbound traffic before leaving the interface must be delivered through a standard access list 10.

By specifying a list of numbers, weather, traffic was allowed or denied, would result in the entry to match and being filtered by the host or the network, and with it (if it is a network or subnet) associated screen configuration the standard access list.

 

 access-list 10 permit 234.5.6.12
 access-list 10 deny 5.10.10.32 0.0.0.31
 access-list 10 permit 5.10.0.0 0.0.255.255
 access-list 10 permit 123.234.0.0 0.0.0.255

 

In the above example creates an access list configured on 4 and 10. Allows all traffic with the source IP address of the first row to 234.5.. Please note that when a host's IP address is listed, there is no mask must be associated with it. The second line from the subnet 5.10.10.32/27 deny all traffic. To observe one of the access lists are rather shielded, they use what Cisco calls "wildcard Fu Ping cover." Shielding of these masks is very similar with one important difference. Network Shield operations from left to right. Wildcard Fu Ping shelter operations from right to left. Therefore, when you look at the configuration, matches the wildcard Fu Ping shelter is in the 5.10.10.32 of 32 addresses. (Due to zero is a valid mask, it counts as one address. 31 therefore shielding is used instead of 32).

The remaining two lines, one from 5.10.10.0.0/16 and 123.234.0.0/24 to allow communication. At first glance, newcommer to access list might think the only access denied to this network is second and permits are not necessary. In the access list, but aims to selectively license, you cannot selectively deny traffic. Therefore, implicitly denies exists in this end of the access list. (More what does not explicitly match the access list entry is removed).

There are a few other important things to consider when you create an access list. First, the order is extremely important. Because access list via "short circuit" function (relief when matches are found), those most likely to match the communications entries should be listed first. IP access-list processing is very processor-intensive. Frequently listed by first matching processor utilization is kept to a minimum. Notes 2 and 3, lines of the above example. Collectively, they state, all traffic from 5.10.0.0/16 will be allowed except those hosts in 5.10.10.32/27. If line 2 (deny statements) listed in the 3rd row, than the refusal has no effect. Traffic will be allowed due to Line 3 line and will allow you to try to prevent these host access. When you create an access control list, you should examine them very carefully and must not have the wrong sort has occurred.

 

Second thing when you create an access list to watch out for are changes to the Cisco router is in effect immediately after their arrival. It is a fact that most access list is not stagnant, unchanging creatures, we want them to be. Time and again, they will need to be modified. Modify the access list refers to an existing list and re-create it with the changes. In refference to visit list when configuring the interface does not exist, traffic, by default, to allow. However, when you create an access list, implicit deny at the end of session will result in your configuration are filtered out. As a matter of policy, it is good practice refference to the access list is removed from the interface access list before modifying it. (Through the "no IP access group 123" or list your plans to visit refference).

Generate extended access lists are a bit more complicated, and requires several steps. Because the extended access-list filter based on source and destination IP addresses, the need for the two parts of each item. Following is a brief example of the IP extended access list. 

 

 access-list 101 permit tcp any any established
 access-list 101 permit tcp any 204.34.5.25 host eq 80
 access-list 101 permit ip 203.45.34.0 0.0.0.255 204.34.5.0 0.0.0.255
 access-list 101 permit tcp 203.44.32.0 0.0.0.31 204.34.5.0 0.0.0.255 eq telnet
 access-list 101 permit tcp any 204.34.5.10 eq smtp

 

This access list permits all TCP connections with the established flag, which allows any user to access host 204.34.5.25,TCP port 80 (the HTTP port), from 203.45.34.0/24 to reach any host within the 204.34.5.0 class C,203.44.32.0/27 of all IP protocols in any host can telnet to 204.34.5.0 on all hosts And allow all hosts connecting to the SMTP port on the host 204.34.5.10.