7/29/2019 9 ACL&NAT

1/34

7/29/2019 9 ACL&NAT

2/34

2 2004, Cisco Systems, Inc. All rights reserved.

IntroducingACL

7/29/2019 9 ACL&NAT

3/34

2004 Cisco Systems, Inc. All rights reserved. ICND v2.24-3

Managing IP Traffic withACLs

7/29/2019 9 ACL&NAT

4/34

444 2004, Cisco Systems, Inc. All rights reserved.

Manage routed traffic (not updates) as network access grows.

Filter packets as they pass through the router.

Why Use ACLs?

7/29/2019 9 ACL&NAT

5/34

555 2004, Cisco Systems, Inc. All rights reserved.

ACL is a group of statements that aregrouped under certain Name or Number topermit or deny specific users from

accessing the network. Access list is configured on the router

then activated on interfaces inbound or

outbound.

Access control list ( ACL )

7/29/2019 9 ACL&NAT

6/34

666 2004, Cisco Systems, Inc. All rights reserved.

1- Statements are checked from up to down.

2- Once a match found, no further checking.

3- If no match found, the packet will be dropped due to the implicit deny statement at the end of the ACL.

4- ACL must contain at least one permit statement otherwise allpackets will be dropped (shut the int.).

5- In any ACL , you can not add statement between statements(any new statements can only be added to the end of ACL).

6- In Numbered ACL, you can not delete a certain statement ,only delete the whole ACL.

7- In Named ACL, you can delete a certain statement betweenstatements.

ACL processing

7/29/2019 9 ACL&NAT

7/34777 2004, Cisco Systems, Inc. All rights reserved.

- You can have one ACL per interface per protocolper direction.

Types of ACL

Standard ACL Extended ACL

Numbered Named Numbered Named

1-99 100-199

1300-1999 2000-2699

Types of ACL

7/29/2019 9 ACL&NAT

8/34888 2004, Cisco Systems, Inc. All rights reserved.

Standard ACLs

It filters the packets based on source ip addressin the packet header.

7/29/2019 9 ACL&NAT

9/34999 2004, Cisco Systems, Inc. All rights reserved.

Activates the list on an interface

Sets inbound or outbound testing

no ip access-group access-list-numberremoves ACL from

the interface

Router(config-if)#ip access-groupaccess-list-number {in | out}

Sets parameters for this list entry

IP standard ACLs use 1 to 99 or 1300 to 1999

Default wildcard mask = 0.0.0.0

no access-list access-list-number removes entire ACL

2.Activate ACL

Router(config)#access-list access-list-number{permit | deny} source [wild cardmask]

Standard IP ACL Configuration

1. Creation of ACL

7/29/2019 9 ACL&NAT

10/34101010 2004, Cisco Systems, Inc. All rights reserved.

Router(config)#ip access-list {standard | extended} name

Router(config-std-nacl)#{permit | deny} src ip

[wild card mask]Router(config-std-nacl)#no {permit | deny} src ip

[wild card mask]

Router(config-if)#ip access-group name {in | out}

Using Named IP ACL (Standard)

Alphanumeric name string must be unique.

no removes the specific test from the named ACL.

Activates the named IP ACL on an interface.

7/29/2019 9 ACL&NAT

11/34111111 2004, Cisco Systems, Inc. All rights reserved.

Deny a specific host.

Standard IP ACL

Example 1

7/29/2019 9 ACL&NAT

12/34121212 2004, Cisco Systems, Inc. All rights reserved.

Deny a specific subnet.

Standard IP ACL

Example 2

7/29/2019 9 ACL&NAT

13/34131313 2004, Cisco Systems, Inc. All rights reserved.

Host X

192.168.5.1/24

Server

192.168.1.1/24

192.168.2.0/24

AC

B

- We want to restrict the user X from accessing the

server.

- Rule: Standard ACL is placed as close as

possible to destination.

Placement of standard ACL

7/29/2019 9 ACL&NAT

14/34141414 2004, Cisco Systems, Inc. All rights reserved.

(config)# access-list 1 deny 10.1.1.1

(config)# access-list 1 permit any

(config)# line vty 0 4

(config-line)# access-class 1 in

We want to restrict the telnet access fromhost 10.1.1.1 to the router.

10 . 1 . 1 . 1

Note: Router can not filter IP packets that sourced by router

itself.

Controlling Telnet Using ACL

7/29/2019 9 ACL&NAT

15/34151515 2004, Cisco Systems, Inc. All rights reserved.

It is more flexible than standard ACL.

Extended ACL can match on:

1- Source IP , Destination IP.

2- TCP/IP protocols. ( IP, TCP, UDP, ICMP,.).

3- Protocol information ( port no. ).

Extended ACL

7/29/2019 9 ACL&NAT

16/34161616 2004, Cisco Systems, Inc. All rights reserved.

Router(config-if)#ip access-group access-list-number{in | out}

Extended IP ACL Configuration

Activates the extended list on an interface

Sets parameters for this list entry

Router(config)#access-list access-list-number{permit | deny}protocol source source-wildcard[operator port] destination destination-wildcard[operator port]

7/29/2019 9 ACL&NAT

17/34171717 2004, Cisco Systems, Inc. All rights reserved.

- There are two special types of W.C.M:1- 0.0.0.0 is called host mask.

Ex: 1.1.1.1 0.0.0.0 = host 1.1.1.1

2- 255.255.255.255 is called any.

Ex: 0.0.0.0 255.255.255.255 = any

- The operators:

eq 80 = eq http.

(Lt) operator means less than or equal.

(gt) operator means greater than or equal.

Notes

7/29/2019 9 ACL&NAT

18/34181818 2004, Cisco Systems, Inc. All rights reserved.

Extended ACL

Deny subnet 172.16.4.0 from accessing FTP on subnet 172.16.3.0 out E0.

Permit all other traffic.

Example 1

7/29/2019 9 ACL&NAT

19/34191919 2004, Cisco Systems, Inc. All rights reserved.

Extended ACL

Deny only Telnet from subnet 172.16.4.0 out E0.

Permit all other traffic.

Example 2

7/29/2019 9 ACL&NAT

20/34

202020 2004, Cisco Systems, Inc. All rights reserved.

Host X

192.168.5.1/24

Server

192.168.1.1/24

192.168.2.0/24

AC

B

- We want to restrict the user X from accessing the

server.

- Rule: Extended ACL is placed as close as

possible to source.

Placement of Extended ACL

7/29/2019 9 ACL&NAT

21/34

212121 2004, Cisco Systems, Inc. All rights reserved.

Router(config)#ip access-list {standard | extended} name

Router(config-ext-nacl)#{permit | deny} protocol

source source-wildcard [operator port] destination destination-wildcard[operator port]

Router(config-ext-nacl)#no {permit | deny} protocolsource source-wildcard [operator port] destination destination-wildcard[operator port]

Router(config-if)#ip access-group name {in | out}

Named IP ACL (Extended)

Alphanumeric name string must be unique.

no removes the specific test from the named ACL.

Activates the named IP ACL on an interface.

7/29/2019 9 ACL&NAT

22/34

222222 2004, Cisco Systems, Inc. All rights reserved.

Monitoring ACL Statements

wg_ro_a#show access-listsStandard IP access list 1

permit 10.2.2.1permit 10.3.3.1permit 10.4.4.1permit 10.5.5.1

Extended IP access list 101permit tcp host 10.22.22.1 any eq telnetpermit tcp host 10.33.33.1 any eq ftppermit tcp host 10.44.44.1 any eq ftp-data

wg_ro_a#show {protocol} access-list {access-list number}

wg_ro_a#show access-lists {access-list number}

7/29/2019 9 ACL&NAT

23/34

232323 2004, Cisco Systems, Inc. All rights reserved.

wg_ro_a#show ip interfaces e0Ethernet0 is up, line protocol is upInternet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not set

Directed broadcast forwarding is disabledOutgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabled

ICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabledIP fast switching on the same interface is

disabled

Verifying ACLs

7/29/2019 9 ACL&NAT

24/34

2004 Cisco Systems, Inc. All rights reserved. ICND v2.24-24

Scaling the Networkwith NAT and PAT

7/29/2019 9 ACL&NAT

25/34

252525 2004, Cisco Systems, Inc. All rights reserved.

Address translation allows you to translate your internalprivate address to a public address before the packets leaveyour local network to the public network.

NAT terminologies:

1-Inside local IP: an internal device that has a private IP.

2- Inside global IP: an internal device that has a public IP.

3- Outside local IP: an outside device that has a private IP.

4- Outside global IP: an outside device that has a public IP.

Types of Address Translation:

1- Static Translation.

2- Dynamic Translation.

NAT (Network address translation)

7/29/2019 9 ACL&NAT

26/34

262626 2004, Cisco Systems, Inc. All rights reserved.

10.1.1.1

10.1.1.1

10.1.1.1

10.1.1.1

10.1.1.2

10.1.1.2

- NAT table is formed manually translatingprivate IPs to public IPs.

Static NAT

7/29/2019 9 ACL&NAT

27/34

272727 2004, Cisco Systems, Inc. All rights reserved.

Configuring Static Translation

Establishes static translation between an inside local addressand an inside global address

Router(config)#ip nat inside source static local-ipglobal-ip

Marks the interface as connected to the inside

Router(config-if)#ip nat inside

Marks the interface as connected to the outside

Router(config-if)#ip nat outside

7/29/2019 9 ACL&NAT

28/34

282828 2004, Cisco Systems, Inc. All rights reserved.

- The router is given a pool of IPs thatcontains global IPs, so every user tries toaccess a public network will be given an IPfrom the pool.

- To configure Dynamic NAT:

1- Define the pool of IPs.

2- Define which inside addresses areallowed to be translated using ACL.

Dynamic NAT

7/29/2019 9 ACL&NAT

29/34

292929 2004, Cisco Systems, Inc. All rights reserved.

Configuring Dynamic Translation

Establishes dynamic source translation, specifying the ACLthat was defined in the prior step.

Router(config)#ip nat inside source listaccess-list-numberpool name

Defines a pool of global addresses to be allocated as needed.

Router(config)#ip nat pool name start-ip end-ip{netmask netmask| prefix-lengthprefix-length}

Defines a standard IP ACL permitting those inside localaddresses that are to be translated.

Router(config)#access-list access-list-numberpermitsource [source-wildcard]

7/29/2019 9 ACL&NAT

30/34

303030 2004, Cisco Systems, Inc. All rights reserved.

Dynamic Address Translation Example

7/29/2019 9 ACL&NAT

31/34

313131 2004, Cisco Systems, Inc. All rights reserved.

- Static or dynamic NAT provide only one to one translationwhile PAT supports many to one translation.

PAT (Port Address Translation)

7/29/2019 9 ACL&NAT

32/34

323232 2004, Cisco Systems, Inc. All rights reserved.

Configuring PAT

Establishes dynamic source translation with PAT, specifyingthe ACL that was defined in the prior step.

Router(config)#ip nat inside source listaccess-list-numberpool name overload

Defines a pool of one global address to be allocated .

Router(config)#ip nat pool name start-ip end-ip{netmask netmask| prefix-lengthprefix-length}

Defines a standard IP ACL permitting those inside localaddresses that are to be translated.

Router(config)#access-list access-list-numberpermitsource [source-wildcard]

7/29/2019 9 ACL&NAT

33/34

333333 2004, Cisco Systems, Inc. All rights reserved.

Configuring Overloading

Establishes dynamic source translation, specifying the ACLthat was defined in the prior step

Router(config)#ip nat inside source listaccess-list-numberinterface interface overload

Defines a standard IP ACL that will be permit the inside localaddresses that are to be translated

Router(config)#access-list access-list-numberpermitsourcesource-wildcard

Di l i I f ti ith h

7/29/2019 9 ACL&NAT

34/34

Displaying Information with showCommands

Displays translation statistics

Router#show ip nat statistics

Displays active translations (PAT & Nat tables)

Router#show ip nat translations

Router#show ip nat translationPro Inside global Inside local Outside local Outside global--- 172.16.131.1 10.10.10.1 --- ---

Router#show ip nat statisticsTotal active translations: 1 (1 static, 0 dynamic; 0 extended)Outside interfaces:Ethernet0, Serial2.7Inside interfaces:Ethernet1Hits: 5 Misses: 0