Sunday, September 11, 2011

ACL Traffic Filtering (Filtering with IOS Part 1)

I have R1, R2, and R3, and I want to use access-lists to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow all traffic to exit the inside network, but do not want any unsolicited traffic from the outside network to be allowed in. I have EIGRP running between the three routers, and I want that to remain operational. Additionally, R1 is running HTTP services that I want to allow R3 to access.

This requires an ACL that I will apply to the outside interface of R2.

ip access-list extended INWARD
 permit eigrp any any
 permit tcp any host eq www
 permit tcp any established

interface serial0/1
 ip access-group INWARD in

Once the ACL is applied, I can no longer ping or telnet to R1 from R3.

*Sep 10 04:25:25.153: %SYS-5-CONFIG_I: Configured from console by console

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

Trying ... 
% Destination unreachable; gateway or host down

No rule was added to allow ICMP, nor telnet. However, I can copy a file using http.

R3#copy http://jason:cisco@ null:      
Loading http://***********@ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Now I'll telnet from R1 to R3

Trying ... Open

User Access Verification


On R2 I see hits under the ACL established entry allowing return tcp packets back.

R2#show ip access-list        
Extended IP access list INWARD
    10 permit eigrp any any (264 matches)
    20 permit tcp any host eq www (2688 matches)
    30 permit tcp any established (12 matches)

1 comment: