9 acl&nat
TRANSCRIPT
-
7/29/2019 9 ACL&NAT
1/34
-
7/29/2019 9 ACL&NAT
2/34
2 2004, Cisco Systems, Inc. All rights reserved.
IntroducingACL
-
7/29/2019 9 ACL&NAT
3/34
2004 Cisco Systems, Inc. All rights reserved. ICND v2.24-3
Managing IP Traffic withACLs
-
7/29/2019 9 ACL&NAT
4/34
444 2004, Cisco Systems, Inc. All rights reserved.
Manage routed traffic (not updates) as network access grows.
Filter packets as they pass through the router.
Why Use ACLs?
-
7/29/2019 9 ACL&NAT
5/34
555 2004, Cisco Systems, Inc. All rights reserved.
ACL is a group of statements that aregrouped under certain Name or Number topermit or deny specific users from
accessing the network. Access list is configured on the router
then activated on interfaces inbound or
outbound.
Access control list ( ACL )
-
7/29/2019 9 ACL&NAT
6/34
666 2004, Cisco Systems, Inc. All rights reserved.
1- Statements are checked from up to down.
2- Once a match found, no further checking.
3- If no match found, the packet will be dropped due to the implicit deny statement at the end of the ACL.
4- ACL must contain at least one permit statement otherwise allpackets will be dropped (shut the int.).
5- In any ACL , you can not add statement between statements(any new statements can only be added to the end of ACL).
6- In Numbered ACL, you can not delete a certain statement ,only delete the whole ACL.
7- In Named ACL, you can delete a certain statement betweenstatements.
ACL processing
-
7/29/2019 9 ACL&NAT
7/34777 2004, Cisco Systems, Inc. All rights reserved.
- You can have one ACL per interface per protocolper direction.
Types of ACL
Standard ACL Extended ACL
Numbered Named Numbered Named
1-99 100-199
1300-1999 2000-2699
Types of ACL
-
7/29/2019 9 ACL&NAT
8/34888 2004, Cisco Systems, Inc. All rights reserved.
Standard ACLs
It filters the packets based on source ip addressin the packet header.
-
7/29/2019 9 ACL&NAT
9/34999 2004, Cisco Systems, Inc. All rights reserved.
Activates the list on an interface
Sets inbound or outbound testing
no ip access-group access-list-numberremoves ACL from
the interface
Router(config-if)#ip access-groupaccess-list-number {in | out}
Sets parameters for this list entry
IP standard ACLs use 1 to 99 or 1300 to 1999
Default wildcard mask = 0.0.0.0
no access-list access-list-number removes entire ACL
2.Activate ACL
Router(config)#access-list access-list-number{permit | deny} source [wild cardmask]
Standard IP ACL Configuration
1. Creation of ACL
-
7/29/2019 9 ACL&NAT
10/34101010 2004, Cisco Systems, Inc. All rights reserved.
Router(config)#ip access-list {standard | extended} name
Router(config-std-nacl)#{permit | deny} src ip
[wild card mask]Router(config-std-nacl)#no {permit | deny} src ip
[wild card mask]
Router(config-if)#ip access-group name {in | out}
Using Named IP ACL (Standard)
Alphanumeric name string must be unique.
no removes the specific test from the named ACL.
Activates the named IP ACL on an interface.
-
7/29/2019 9 ACL&NAT
11/34111111 2004, Cisco Systems, Inc. All rights reserved.
Deny a specific host.
Standard IP ACL
Example 1
-
7/29/2019 9 ACL&NAT
12/34121212 2004, Cisco Systems, Inc. All rights reserved.
Deny a specific subnet.
Standard IP ACL
Example 2
-
7/29/2019 9 ACL&NAT
13/34131313 2004, Cisco Systems, Inc. All rights reserved.
Host X
192.168.5.1/24
Server
192.168.1.1/24
192.168.2.0/24
AC
B
- We want to restrict the user X from accessing the
server.
- Rule: Standard ACL is placed as close as
possible to destination.
Placement of standard ACL
-
7/29/2019 9 ACL&NAT
14/34141414 2004, Cisco Systems, Inc. All rights reserved.
(config)# access-list 1 deny 10.1.1.1
(config)# access-list 1 permit any
(config)# line vty 0 4
(config-line)# access-class 1 in
We want to restrict the telnet access fromhost 10.1.1.1 to the router.
10 . 1 . 1 . 1
Note: Router can not filter IP packets that sourced by router
itself.
Controlling Telnet Using ACL
-
7/29/2019 9 ACL&NAT
15/34151515 2004, Cisco Systems, Inc. All rights reserved.
It is more flexible than standard ACL.
Extended ACL can match on:
1- Source IP , Destination IP.
2- TCP/IP protocols. ( IP, TCP, UDP, ICMP,.).
3- Protocol information ( port no. ).
Extended ACL
-
7/29/2019 9 ACL&NAT
16/34161616 2004, Cisco Systems, Inc. All rights reserved.
Router(config-if)#ip access-group access-list-number{in | out}
Extended IP ACL Configuration
Activates the extended list on an interface
Sets parameters for this list entry
Router(config)#access-list access-list-number{permit | deny}protocol source source-wildcard[operator port] destination destination-wildcard[operator port]
-
7/29/2019 9 ACL&NAT
17/34171717 2004, Cisco Systems, Inc. All rights reserved.
- There are two special types of W.C.M:1- 0.0.0.0 is called host mask.
Ex: 1.1.1.1 0.0.0.0 = host 1.1.1.1
2- 255.255.255.255 is called any.
Ex: 0.0.0.0 255.255.255.255 = any
- The operators:
eq 80 = eq http.
(Lt) operator means less than or equal.
(gt) operator means greater than or equal.
Notes
-
7/29/2019 9 ACL&NAT
18/34181818 2004, Cisco Systems, Inc. All rights reserved.
Extended ACL
Deny subnet 172.16.4.0 from accessing FTP on subnet 172.16.3.0 out E0.
Permit all other traffic.
Example 1
-
7/29/2019 9 ACL&NAT
19/34191919 2004, Cisco Systems, Inc. All rights reserved.
Extended ACL
Deny only Telnet from subnet 172.16.4.0 out E0.
Permit all other traffic.
Example 2
-
7/29/2019 9 ACL&NAT
20/34
202020 2004, Cisco Systems, Inc. All rights reserved.
Host X
192.168.5.1/24
Server
192.168.1.1/24
192.168.2.0/24
AC
B
- We want to restrict the user X from accessing the
server.
- Rule: Extended ACL is placed as close as
possible to source.
Placement of Extended ACL
-
7/29/2019 9 ACL&NAT
21/34
212121 2004, Cisco Systems, Inc. All rights reserved.
Router(config)#ip access-list {standard | extended} name
Router(config-ext-nacl)#{permit | deny} protocol
source source-wildcard [operator port] destination destination-wildcard[operator port]
Router(config-ext-nacl)#no {permit | deny} protocolsource source-wildcard [operator port] destination destination-wildcard[operator port]
Router(config-if)#ip access-group name {in | out}
Named IP ACL (Extended)
Alphanumeric name string must be unique.
no removes the specific test from the named ACL.
Activates the named IP ACL on an interface.
-
7/29/2019 9 ACL&NAT
22/34
222222 2004, Cisco Systems, Inc. All rights reserved.
Monitoring ACL Statements
wg_ro_a#show access-listsStandard IP access list 1
permit 10.2.2.1permit 10.3.3.1permit 10.4.4.1permit 10.5.5.1
Extended IP access list 101permit tcp host 10.22.22.1 any eq telnetpermit tcp host 10.33.33.1 any eq ftppermit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}
-
7/29/2019 9 ACL&NAT
23/34
232323 2004, Cisco Systems, Inc. All rights reserved.
wg_ro_a#show ip interfaces e0Ethernet0 is up, line protocol is upInternet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not set
Directed broadcast forwarding is disabledOutgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabled
ICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabledIP fast switching on the same interface is
disabled
Verifying ACLs
-
7/29/2019 9 ACL&NAT
24/34
2004 Cisco Systems, Inc. All rights reserved. ICND v2.24-24
Scaling the Networkwith NAT and PAT
-
7/29/2019 9 ACL&NAT
25/34
252525 2004, Cisco Systems, Inc. All rights reserved.
Address translation allows you to translate your internalprivate address to a public address before the packets leaveyour local network to the public network.
NAT terminologies:
1-Inside local IP: an internal device that has a private IP.
2- Inside global IP: an internal device that has a public IP.
3- Outside local IP: an outside device that has a private IP.
4- Outside global IP: an outside device that has a public IP.
Types of Address Translation:
1- Static Translation.
2- Dynamic Translation.
NAT (Network address translation)
-
7/29/2019 9 ACL&NAT
26/34
262626 2004, Cisco Systems, Inc. All rights reserved.
10.1.1.1
10.1.1.1
10.1.1.1
10.1.1.1
10.1.1.2
10.1.1.2
- NAT table is formed manually translatingprivate IPs to public IPs.
Static NAT
-
7/29/2019 9 ACL&NAT
27/34
272727 2004, Cisco Systems, Inc. All rights reserved.
Configuring Static Translation
Establishes static translation between an inside local addressand an inside global address
Router(config)#ip nat inside source static local-ipglobal-ip
Marks the interface as connected to the inside
Router(config-if)#ip nat inside
Marks the interface as connected to the outside
Router(config-if)#ip nat outside
-
7/29/2019 9 ACL&NAT
28/34
282828 2004, Cisco Systems, Inc. All rights reserved.
- The router is given a pool of IPs thatcontains global IPs, so every user tries toaccess a public network will be given an IPfrom the pool.
- To configure Dynamic NAT:
1- Define the pool of IPs.
2- Define which inside addresses areallowed to be translated using ACL.
Dynamic NAT
-
7/29/2019 9 ACL&NAT
29/34
292929 2004, Cisco Systems, Inc. All rights reserved.
Configuring Dynamic Translation
Establishes dynamic source translation, specifying the ACLthat was defined in the prior step.
Router(config)#ip nat inside source listaccess-list-numberpool name
Defines a pool of global addresses to be allocated as needed.
Router(config)#ip nat pool name start-ip end-ip{netmask netmask| prefix-lengthprefix-length}
Defines a standard IP ACL permitting those inside localaddresses that are to be translated.
Router(config)#access-list access-list-numberpermitsource [source-wildcard]
-
7/29/2019 9 ACL&NAT
30/34
303030 2004, Cisco Systems, Inc. All rights reserved.
Dynamic Address Translation Example
-
7/29/2019 9 ACL&NAT
31/34
313131 2004, Cisco Systems, Inc. All rights reserved.
- Static or dynamic NAT provide only one to one translationwhile PAT supports many to one translation.
PAT (Port Address Translation)
-
7/29/2019 9 ACL&NAT
32/34
323232 2004, Cisco Systems, Inc. All rights reserved.
Configuring PAT
Establishes dynamic source translation with PAT, specifyingthe ACL that was defined in the prior step.
Router(config)#ip nat inside source listaccess-list-numberpool name overload
Defines a pool of one global address to be allocated .
Router(config)#ip nat pool name start-ip end-ip{netmask netmask| prefix-lengthprefix-length}
Defines a standard IP ACL permitting those inside localaddresses that are to be translated.
Router(config)#access-list access-list-numberpermitsource [source-wildcard]
-
7/29/2019 9 ACL&NAT
33/34
333333 2004, Cisco Systems, Inc. All rights reserved.
Configuring Overloading
Establishes dynamic source translation, specifying the ACLthat was defined in the prior step
Router(config)#ip nat inside source listaccess-list-numberinterface interface overload
Defines a standard IP ACL that will be permit the inside localaddresses that are to be translated
Router(config)#access-list access-list-numberpermitsourcesource-wildcard
Di l i I f ti ith h
-
7/29/2019 9 ACL&NAT
34/34
Displaying Information with showCommands
Displays translation statistics
Router#show ip nat statistics
Displays active translations (PAT & Nat tables)
Router#show ip nat translations
Router#show ip nat translationPro Inside global Inside local Outside local Outside global--- 172.16.131.1 10.10.10.1 --- ---
Router#show ip nat statisticsTotal active translations: 1 (1 static, 0 dynamic; 0 extended)Outside interfaces:Ethernet0, Serial2.7Inside interfaces:Ethernet1Hits: 5 Misses: 0