Sunday, September 11, 2011

ACL Traffic Filtering (Filtering with IOS Part 1)

I have R1, R2, and R3, and I want to use access-lists to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow all traffic to exit the inside network, but do not want any unsolicited traffic from the outside network to be allowed in. I have EIGRP running between the three routers, and I want that to remain operational. Additionally, R1 is running HTTP services that I want to allow R3 to access.

This requires an ACL that I will apply to the outside interface of R2.

ip access-list extended INWARD
 permit eigrp any any
 permit tcp any host eq www
 permit tcp any established

interface serial0/1
 ip access-group INWARD in

Once the ACL is applied, I can no longer ping or telnet to R1 from R3.

*Sep 10 04:25:25.153: %SYS-5-CONFIG_I: Configured from console by console

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

Trying ... 
% Destination unreachable; gateway or host down

No rule was added to allow ICMP, nor telnet. However, I can copy a file using http.

R3#copy http://jason:cisco@ null:      
Loading http://***********@ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Now I'll telnet from R1 to R3

Trying ... Open

User Access Verification


On R2 I see hits under the ACL established entry allowing return tcp packets back.

R2#show ip access-list        
Extended IP access list INWARD
    10 permit eigrp any any (264 matches)
    20 permit tcp any host eq www (2688 matches)
    30 permit tcp any established (12 matches)

No comments:

Post a Comment