Monday, September 12, 2011

Lock and Key ACLs (Filtering with IOS Part 3)



I have R1, R2, and R3, and I want to use Dynamic ACLs to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow R1 to open a connection on TCP port 80 to R3, but only after R1 authenticates to R2. I have RIP running between the three routers, and I want that to remain operational.

To accomplish this, I'll create an access-list on R2 with a dynamic entry for www access from R1 to R3. On the vty lines, I'll set login local. . For the dynamic ACL, I will have to log into R2 via telnet and issue the access-enable command. This command creates the dynamic entry under the access-list. I'll create a user named jason with a password of cisco, and allow telnet inbound on the ACL.

!
ip access-list extended 100 
 permit tcp any any eq telnet
 permit udp any any eq 520
 dynamic HTTP permit tcp any host 10.1.23.3
!
username jason password cisco
!
line vty 0 4
 login local
!

I'll apply the ACL to fa0/0

!
interface FastEthernet0/0
 ip access-group 100 in
!

R3 is running ip http services and the ip http path has been set for flash:/. For demonstration, I will attempt to connect from R1 to R3 via http.

R1#http://jason:cisco@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin null:        
%Error opening http://*****:*****@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin (I/O error)

As expected, access is not allowed.

I'll look at R2's access-list

R2#sh access-list 100                               
Extended IP access list 100
    10 permit tcp any any eq telnet
    20 permit udp any any eq 502
    30 Dynamic HTTP permit tcp any host 10.1.23.3
R2#

There's no entry under the dynamic rule to allow traffic.

I'll telnet to R2 and issue the access-enable command.

R1#telnet 10.1.12.2                                                  
Trying 10.1.12.2 ... Open


User Access Verification


Username: jason
Password: 
R2>access-enable
R2>exit
[Connection to 10.1.12.2 closed by foreign host]

And now when I look at the ACL on R2, I see the permit entry under the dymanic ACL.

R2#sh access-list 100
Extended IP access list 100
    10 permit tcp any any eq telnet (201 matches)
    20 permit udp any any eq 502
    30 Dynamic HTTP permit tcp any host 10.1.23.3
       permit tcp any host 10.1.23.3

Notice that the entry allows any to host 10.1.23.3. I'll clear the dynamic ACL on R2 and issue the access-enable host command from R1 while connected to R2's vty line to see the difference.

R2#clear ip access-template 100 HTTP any host 10.1.12.3


R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open


User Access Verification


Username: jason
Password: 
R2>access-enable host
R2>

I'll now check the ACL on R2 again

R2#show access-list
Extended IP access list 100
    10 permit tcp any any eq telnet (612 matches)
    20 permit udp any any eq 502
    30 Dynamic HTTP permit tcp any host 10.1.23.3
       permit tcp host 10.1.12.1 host 10.1.23.3
R2#

The access-enable host command results in the dynamic ACL allowing only the host that connected and issued the command.

Now when I attempt to access data via TCP 80, I'm allowed access.

R1#http://jason:cisco@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin null:
Loading http://*****:*****@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin !!!

At this point, I don't have idle or absolute timeout configured. This entry will remain in the dynamic access list until I manually remove it with the clear access-template command. NOTE: The clear access-template command doesn't appear to work on named ACLs, and that's why I've used the number 100 for this ACL's name.

R2#clear access-template 100 HTTP any host 10.1.23.3
R2#sh access-list 100                               
Extended IP access list 100
    10 permit tcp any any eq telnet (282 matches)
    20 permit udp any any eq 502
    30 Dynamic HTTP permit tcp any host 10.1.23.3

Now I'll remove line 30 from the ACL, and add it back with an absolute timer.

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip access-list ext 100
R2(config-ext-nacl)#no 30
R2(config-ext-nacl)#30 Dynamic HTTP timeout 1 permit tcp any host 10.1.23.3 

Now I'll telnet to R2 from R1 and issue the access-enable command.

If my job will run longer than the timeout configured, then I can log in again and issue the access-enable command to extend the session by 6 minutes.


If I don't care to issue the access-enable command, I can configure the username with the autocommand command as such.



R2(config)#username jason autocommand access-enable host 

Here's the result

R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open




User Access Verification


Username: jason
Password: 
[Connection to 10.1.12.2 closed by foreign host]
R1#

I've been automatically disconnected, and when I look at R2, I see that the dynamic ACL was created.

R2#show access-list
Extended IP access list 100
    10 permit tcp any any eq telnet (705 matches)
    20 permit udp any any eq 502
    30 Dynamic HTTP permit tcp any host 10.1.23.3
       permit tcp host 10.1.12.1 host 10.1.23.3







Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10







No comments:

Post a Comment