Sunday, September 11, 2011

ACL Traffic Filtering (Filtering with IOS Part 1)


I have R1, R2, and R3, and I want to use access-lists to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow all traffic to exit the inside network, but do not want any unsolicited traffic from the outside network to be allowed in. I have EIGRP running between the three routers, and I want that to remain operational. Additionally, R1 is running HTTP services that I want to allow R3 to access.

This requires an ACL that I will apply to the outside interface of R2.

ip access-list extended INWARD
 permit eigrp any any
 permit tcp any host 10.1.12.1 eq www
 permit tcp any 10.1.0.0 0.0.255.255 established

interface serial0/1
 ip access-group INWARD in

Once the ACL is applied, I can no longer ping or telnet to R1 from R3.

*Sep 10 04:25:25.153: %SYS-5-CONFIG_I: Configured from console by console
R3#ping 10.1.12.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R3#telnet 10.1.12.1
Trying 10.1.12.1 ... 
% Destination unreachable; gateway or host down


No rule was added to allow ICMP, nor telnet. However, I can copy a file using http.

R3#copy http://jason:cisco@10.1.12.1/c1841-adventerprisek9-mz.124-24.T3.bin null:      
Loading http://***********@10.1.12.1/c1841-adventerprisek9-mz.124-24.T3.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Now I'll telnet from R1 to R3

R1#telnet 10.1.23.3
Trying 10.1.23.3 ... Open


User Access Verification


Password:
R3>

On R2 I see hits under the ACL established entry allowing return tcp packets back.

R2#show ip access-list        
Extended IP access list INWARD
    10 permit eigrp any any (264 matches)
    20 permit tcp any host 10.1.12.1 eq www (2688 matches)
    30 permit tcp any 10.1.0.0 0.0.255.255 established (12 matches)

No comments:

Post a Comment