2019/04/15

[CCNA Notes] Configuring extended ACLs

此 lab 一定要用 extended 模式,因為 standard 只能限制來源 PCB 過或不過,不能限制只讓它連Srv1


延伸ACL的介面要盡可能靠近拒絕流量的來源,如此才能在不需要的流量流經網路之前將其過濾掉。
To be more precise when matching a certain network traffic, extended access lists are used. With extended access lists, you can match more information, such as:

  • source and destination IP address
  • type of TCP/IP protocol (TCP, UDP, IP…)
  • source and destination port numbers
  • service (Telnet、WWW、ftp...)
Two steps are required to configure extended access lists:
1. configure extended access lists using the following command:
(config) access list NUMBER permit|deny IP_PROTOCOL SOURCE_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK PROTOCOL_INFORMATION


2. apply an access list to an interface using the following command:
(config) ip access-group ACL_NUMBER in | out
NOTE
Extended access lists numbers are in ranges from 100 to 199 and from 2000 to 2699. You should always place extended ACLs as close to the source as possible.



R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R1(config)#access-list 100 permit ip host 192.168.10.1 any
R1(config)#access-list 100 permit ip host 192.168.10.2 host 207.16.10.1
R1(config)#access-list 100 deny ip host 192.168.10.2 host 207.16.10.10
R1(config)#do sh ip access-list
Extended IP access list 100
10 permit ip host 192.168.10.1 any
20 permit ip host 192.168.10.2 host 207.16.10.1
30 deny ip host 192.168.10.2 host 207.16.10.10
R1(config)#int fa0/1
R1(config-if)#ip access-group 100 out

PCA>ping 207.16.10.10
Pinging 207.16.10.10 with 32 bytes of data:
Request timed out.
Reply from 207.16.10.10: bytes=32 time=0ms TTL=127
Reply from 207.16.10.10: bytes=32 time=0ms TTL=127
Reply from 207.16.10.10: bytes=32 time=1ms TTL=127
Ping statistics for 207.16.10.10:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

R1(config-if)#do sh ip access-list
Extended IP access list 100
10 permit ip host 192.168.10.1 any (4 match(es))
20 permit ip host 192.168.10.2 host 207.16.10.1
30 deny ip host 192.168.10.2 host 207.16.10.10

PCB>ping 207.16.10.10
Pinging 207.16.10.10 with 32 bytes of data:
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Ping statistics for 207.16.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

R1(config-if)#do sh ip access-list
Extended IP access list 100
10 permit ip host 192.168.10.1 any (4 match(es))
20 permit ip host 192.168.10.2 host 207.16.10.1
30 deny ip host 192.168.10.2 host 207.16.10.10 (4 match(es))

PCB>ping 207.16.10.1
Pinging 207.16.10.1 with 32 bytes of data:
Request timed out.
Reply from 207.16.10.1: bytes=32 time=0ms TTL=127
Reply from 207.16.10.1: bytes=32 time=1ms TTL=127
Reply from 207.16.10.1: bytes=32 time=1ms TTL=127
Ping statistics for 207.16.10.1:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

R1(config-if)#do sh ip access-list
Extended IP access list 100
10 permit ip host 192.168.10.1 any (4 match(es))
20 permit ip host 192.168.10.2 host 207.16.10.1 (4 match(es))
30 deny ip host 192.168.10.2 host 207.16.10.10 (4 match(es))

R1(config-if)#


Reference:
https://study-ccna.com/configuring-extended-acls/


*這次改用名稱來建立 extended ACLs

R1(config)#ip access-list ?
extended Extended Access List
standard Standard Access List

R1(config)#ip access-list extended R1-ACL
R1(config-ext-nacl)#permit ?
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol

R1(config-ext-nacl)#permit tcp host 192.168.10.1 host 207.16.10.1 eq ?
<0-65535> Port number
domain Domain Name Service (DNS, 53)
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)

R1(config-ext-nacl)#permit tcp host 192.168.10.1 host 207.16.10.1 eq www
R1(config-ext-nacl)#permit tcp host 192.168.10.1 host 207.16.10.1 eq ftp
R1(config-ext-nacl)#deny ip any any
R1(config-ext-nacl)#int fa0/0
R1(config-if)#ip access-group R1-ACL in

R1(config-if)#do sh access-lists
Extended IP access list R1-ACL
10 permit tcp host 192.168.10.1 host 207.16.10.1 eq www (6 match(es))
20 permit tcp host 192.168.10.1 host 207.16.10.1 eq ftp
30 deny ip any any

PCA>ping 207.16.10.1
Pinging 207.16.10.1 with 32 bytes of data:
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Ping statistics for 207.16.10.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 

R1(config-if)#do sh access-lists
Extended IP access list R1-ACL
10 permit tcp host 192.168.10.1 host 207.16.10.1 eq www (6 match(es))
20 permit tcp host 192.168.10.1 host 207.16.10.1 eq ftp
30 deny ip any any (4 match(es))

PCB>ftp 207.16.10.1
Trying to connect...207.16.10.1
%Error opening ftp://207.16.10.1/ (Timed out)

.

咦....為什麼? 檢查上面的ACL,發現 20 的PCB ip 打錯了,怎麼辦?
R1(config)#ip access-list extended R1-ACL
R1(config-ext-nacl)#no 20
R1(config-ext-nacl)#20 permit tcp host 192.168.10.2 host 207.16.10.1 eq ftp

PCB>ftp 207.16.10.1
Trying to connect...207.16.10.1
Connected to 207.16.10.1
220- Welcome to PT Ftp server
Username:cisco
331- Username ok, need password
Password:
230- Logged in
(passive mode On)
ftp>

R1(config-ext-nacl)#do sh access
Extended IP access list R1-ACL
10 permit tcp host 192.168.10.1 host 207.16.10.1 eq www (6 match(es))
20 permit tcp host 192.168.10.2 host 207.16.10.1 eq ftp (7 match(es))
30 deny ip any any


*延伸ACL語法:檢查 Source Port 的 ACL

R1(config)#access-list 100 permit tcp host 207.16.10.1 eq 80 any
R1(config)#access-list 100 deny ip any any
R1(config)#int fa0/1
R1(config-if)#ip access-group 100 in
R1(config-if)#do sh access-list
Extended IP access list 100
    10 permit tcp host 207.16.10.1 eq www any
    20 deny ip any any



R1(config-if)#do sh access-list
Extended IP access list 100
    10 permit tcp host 207.16.10.1 eq www any (3 match(es))
    20 deny ip any any

PC>ping 207.16.10.1
Pinging 207.16.10.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 207.16.10.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

R1(config-if)#do sh access-list
Extended IP access list 100
    10 permit tcp host 207.16.10.1 eq www any (3 match(es))
    20 deny ip any any (2 match(es))


*進階的ACL設定:

需求:
1.R1中執行三行ACL Statement
2.測試PC A與C用http連接WWW Server
3.PCA執行ping 172.22.242.23
4.檢查ACL執行結果

R1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
R1(config)#access-list 100 deny tcp any host 172.22.242.23 eq www
R1(config)#access-list 100 permit ip any any

R1(config)#int fa0/0
R1(config-if)#ip access-group 100 out
R1(config-if)#do sh access
Extended IP access list 100
10 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
20 deny tcp any host 172.22.242.23 eq www
30 permit ip any any




R1(config-if)#do sh access
Extended IP access list 100
10 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
20 deny tcp any host 172.22.242.23 eq www (12 match(es))
30 permit ip any any

PCA>ping 172.22.242.23
Pinging 172.22.242.23 with 32 bytes of data:
Reply from 172.22.242.23: bytes=32 time=1ms TTL=127
Reply from 172.22.242.23: bytes=32 time=0ms TTL=127
Reply from 172.22.242.23: bytes=32 time=1ms TTL=127
Reply from 172.22.242.23: bytes=32 time=0ms TTL=127
Ping statistics for 172.22.242.23:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

R1(config-if)#do sh access
Extended IP access list 100
10 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
20 deny tcp any host 172.22.242.23 eq www (12 match(es))
30 permit ip any any (4 match(es))



R1(config-if)#do sh access
Extended IP access list 100
10 permit tcp host 192.168.33.3 host 172.22.242.23 eq www (5 match(es))
20 deny tcp any host 172.22.242.23 eq www (12 match(es))
30 permit ip any any (4 match(es))


更改需求:
除了C電腦,其他電腦也限制流量連到Web Srv
R1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
R1(config)#access-list 100 deny ip any host 172.22.242.23
R1(config)#access-list 100 permit ip any any



沒有留言: