- Posts: 31
- Thank you received: 0
Access-list
20 years 2 months ago #2815
by huliyar
Access-list was created by huliyar
Two routers A & B connected through s0 on A(ip address 10.0.0.1\
and s0 on B(ip address 10.0.0.2\8)in the LAB. Both have e0, with router A network being 192.168.1.0\24 and B's 192.168.2.0\24.
Now I don't want to reply or rather drop ICMP echo packets from 10.0.0.2(Router B s0) and 192.168.2.0 destined to Router A's 10.0.0.1 and 192.168.1.0 network. So the access list I created was.
RouterA(config)# access-list 110 deny icmp any any echo log
RouterA(config)# access-list 110 permit ip any any
RouterA(config)# int s0
RouterA(config-if)# ip access-group 110 out
RouterA(config-if)# ctrl + z
1. Is the above access-list correct and also whether the interface & direction I applied the access-list correct. Because when I did the above config, I was still able to ping from 192.168.2.0(B's ethernet ) and also 10.0.0.2(B's s0).
2. Also can access-list be called Network Layer firewalls?
Because both acl and network layer firewall perform the same kind of filtering why are they not called firewalls.
3. For denying access to all except 192.168.2.1 vty lines in the following
RouterA(config)# access-list 10 permit 192.168.2.1
RouterA(config)# line vty 0 4
RouterA(config-line)# access-class 10 in
a. Why do we apply the access-list to in, I think it should be applied to out.I know it works with the above config but why not out.
and s0 on B(ip address 10.0.0.2\8)in the LAB. Both have e0, with router A network being 192.168.1.0\24 and B's 192.168.2.0\24.Now I don't want to reply or rather drop ICMP echo packets from 10.0.0.2(Router B s0) and 192.168.2.0 destined to Router A's 10.0.0.1 and 192.168.1.0 network. So the access list I created was.
RouterA(config)# access-list 110 deny icmp any any echo log
RouterA(config)# access-list 110 permit ip any any
RouterA(config)# int s0
RouterA(config-if)# ip access-group 110 out
RouterA(config-if)# ctrl + z
1. Is the above access-list correct and also whether the interface & direction I applied the access-list correct. Because when I did the above config, I was still able to ping from 192.168.2.0(B's ethernet ) and also 10.0.0.2(B's s0).
2. Also can access-list be called Network Layer firewalls?
Because both acl and network layer firewall perform the same kind of filtering why are they not called firewalls.
3. For denying access to all except 192.168.2.1 vty lines in the following
RouterA(config)# access-list 10 permit 192.168.2.1
RouterA(config)# line vty 0 4
RouterA(config-line)# access-class 10 in
a. Why do we apply the access-list to in, I think it should be applied to out.I know it works with the above config but why not out.
20 years 2 months ago #2818
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Access-list
1. The direction you've placed it in is wrong.. you want to block ICMP coming IN through routerA's s0 interface.. so you have to apply the list as access-group 110 IN not out. However since extended access lists are supposed to be applied closest to the source of the traffic, what you should do is block it from LEAVING routerBs s0 interface.. like this
RouterB(config)# access-list 110 deny icmp any any echo log
RouterB(config)# access-list 110 permit ip any any
RouterB(config)# int s0
RouterB(config-if)# ip access-group 110 out
RouterB(config-if)# ctrl + z
So when a ping packet hits routerB, it wont send it out of s0.
Here are some resources for you:
www.cisco.com/en/US/products/sw/secursw/...a5b9a.shtml#extended
mindforums.com/forums/showthread.php?threadid=248
2. Yes an access-list is a network layer firewall, or filtering device whatever you want to call it. An extended access-list can also be a transport layer firewall.. for example if you block a TCP port.
3. You apply the access list to in because people telnet IN to the router interface not OUT of it. Always view the access list direction as if you were sitting on top of the router (when Chris was first getting into networks, he actually used to stand on top of the routers and work things out), see, you want the router to filter and INCOMING CONNECTION.. heres my little diagram
[code:1]
YOU
TELNET
> ROUTER VTY INTERFACE
[/code:1]
Now if you stand on top of the router (Chris recommends you do this barefoot), you will see that from the routers point of view this is INCOMING traffic.. so you use the IN direction.
Hope that cleared things up.. have a look in the Security/Firewalls forum.. I think someone had a very similar question and it became quite a good thread on access-lists in general.
Cheers,
RouterB(config)# access-list 110 deny icmp any any echo log
RouterB(config)# access-list 110 permit ip any any
RouterB(config)# int s0
RouterB(config-if)# ip access-group 110 out
RouterB(config-if)# ctrl + z
So when a ping packet hits routerB, it wont send it out of s0.
Here are some resources for you:
www.cisco.com/en/US/products/sw/secursw/...a5b9a.shtml#extended
mindforums.com/forums/showthread.php?threadid=248
2. Yes an access-list is a network layer firewall, or filtering device whatever you want to call it. An extended access-list can also be a transport layer firewall.. for example if you block a TCP port.
3. You apply the access list to in because people telnet IN to the router interface not OUT of it. Always view the access list direction as if you were sitting on top of the router (when Chris was first getting into networks, he actually used to stand on top of the routers and work things out), see, you want the router to filter and INCOMING CONNECTION.. heres my little diagram
[code:1]
YOU
TELNET
> ROUTER VTY INTERFACE
[/code:1]
Now if you stand on top of the router (Chris recommends you do this barefoot), you will see that from the routers point of view this is INCOMING traffic.. so you use the IN direction.
Hope that cleared things up.. have a look in the Security/Firewalls forum.. I think someone had a very similar question and it became quite a good thread on access-lists in general.
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.140 seconds