0

Configuring Access Control Lists

Introduction

IP Access Control lists perform packet filtering to control the movement of packet through a network. In this case, proper rules need to be configured based on established security policies.

There are two main types of IP Access Lists

  1. Standard Accesslist are ACL‘s that filter traffic based on IP address only. It is recommended to configure and apply it as close to the destination as possible.
  2. Extended Accesslist – These are the ACL which uses both source and destination IP address. They offer a much greater degree of control than standard ACLs as to the types of traffic that can be filtered, as well as where the traffic originated and where it is going.

In this lab we are going to configure both Standard and Extended access control lists.

Topology

N.B
In the above topology, we have already configured IP addressing, routing and vlan and therefore we have full connectivity across the networks.

Standard Access Control lists

As earlier mentioned, Standard access control lists filter traffic based on IP address only.
We are going to configure standard numbered and Named ACLs.

Standard numbered ACLs

In this step, we are going to create a standard numbered ACL that allows traffic from all hosts on the 10.1.10.0/24 network and all hosts on the 10.1.20.0/24 network to access all hosts on R2 LAN (172.16.30.0/24 and 172.16.40.0/24) network. A deny any access control entry (ACE), also referred to as an ACL statement, should be present at the end of all ACLs.
Since it is recommended to be configured as close to the destination as possible, we will apply the ACLs on R2 as below.

GW-RTR2#
GW-RTR2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
GW-RTR2(config)#
GW-RTR2(config)#
GW-RTR2(config)#
GW-RTR2(config)#
GW-RTR2(config)#
GW-RTR2(config)#
GW-RTR2(config)#access
GW-RTR2(config)#access-list 1 remark
GW-RTR2(config)#access-list 1 remark ALLOW-R1-LAN-ACCESS
GW-RTR2(config)#acces
GW-RTR2(config)#access-list 1 permi
GW-RTR2(config)#access-list 1 permit 10.1.10.0 0.0.0.255
GW-RTR2(config)#access-list 1 permit 10.1.20.0 0.0.0.255
GW-RTR2(config)#
GW-RTR2(config)#acc
GW-RTR2(config)#access-list 1 den
GW-RTR2(config)#access-list 1 deny an
GW-RTR2(config)#access-list 1 deny any

Next, we are going to apply this setting on Interface G0/0 on R2 as below.

GW-RTR2(config)#
GW-RTR2(config)#inte
GW-RTR2(config)#interface g0/0
GW-RTR2(config-if)#
GW-RTR2(config-if)#
GW-RTR2(config-if)#ip acc
GW-RTR2(config-if)#ip acces
GW-RTR2(config-if)#ip access-group 1 out
GW-RTR2(config-if)#
GW-RTR2(config-if)#exit
GW-RTR2(config)#

Verify your ACL configurations

GW-RTR2#show access-lists 1
Standard IP access list 1
    10 permit 10.1.10.0, wildcard bits 0.0.0.255
    20 permit 10.1.20.0, wildcard bits 0.0.0.255
    30 deny   any

To verify that our ACL is effective, we are going to issue a ping from 10.1.30.0/24 network which has been denied to access R2 LAN Network. We will ping the server at 172.16.40.100.

We can also verify that from 10.1.10.0/24 and 10.1.20.0/24 they are able to ping the server at 172.16.40.100.

Named Standard ACL

In this step, we will create a named standard ACL that allows traffic from all hosts on the 172.16.40.0/24 network access to all hosts on the 10.1.10.0/24 network. We shall also permit only on single host in ICT vlan i.e our Kali machine to access 10.1.20.0/24 network.
We shall configure this ACL on R1 as it is recommended to configure the ACL as close to the destination as possible.

GW-RTR(config)#
GW-RTR(config)#ip acces
GW-RTR(config)#ip access-list stand
GW-RTR(config)#ip access-list standard R2-LAN-SECURITY-POLICY
GW-RTR(config-std-nacl)#
GW-RTR(config-std-nacl)#permit host 172.16.30.50
GW-RTR(config-std-nacl)#permit 172.16.40.0 0.0.0.255

Next, we can apply this setting on our interface g0/0 on R1

GW-RTR(config)#
GW-RTR(config)#int gig0/0
GW-RTR(config-if)#
GW-RTR(config-if)#ip acc
GW-RTR(config-if)#ip acces
GW-RTR(config-if)#ip access-group ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

GW-RTR(config-if)#ip access-group R2-LAN-SECURITY-POLICY out
GW-RTR(config-if)#

Verify your ACL configuration

GW-RTR#show access-l
GW-RTR#show access-lists
Standard IP access list R2-LAN-SECURITY-POLICY
    10 permit 172.16.30.50
    20 permit 172.16.40.0, wildcard bits 0.0.0.255
GW-RTR#

From our ICT vlan i.e our kali machine, we should be able to ping 10.1.10.0/24 and 10.1.20.0/24 networks inside R1.

allowkali

However, if we change the IP address of our kali machine to 172.16.30.xx other than the one permitted in our ACL we will not be able to reach the network.

denykali

Extended ACL

Extended ACL’s gives us more control than Standard ACL as we are able to filter different types of traffic from source and destination.
A best practice for extended ACL is to place it as close to the source as possible.

In this step we are going to configure the following policies in our network:

  1. Deny SSH access from R1 LAN to vlan 40 on R2 LAN
  2. Allow all web traffic from R1 LAN to access the web server at vlan 40 in R2 LAN

Deny SSH access from R1LAN to vlan 40 on R2LAN

In this step, we will configure a numbered extended ACL on R1.
Before we configure our ACL, we can see that our R1 LANs can access the web server via ssh from the screenshot below.

sshaccess

To deny access, we will configure the ACL as below:

GW-RTR(config)#
GW-RTR(config)#
GW-RTR(config)#access-list 100 rem
GW-RTR(config)#access-list 100 remark DENY_SSH_ACCESS
GW-RTR(config)#access-list 100 deny tcp 10.1.0.0 0.0.255.255 eq 22 172.16.40.0 0.0.0.255
GW-RTR(config)#
GW-RTR(config)#
GW-RTR(config)#
GW-RTR(config)#

We shall then apply this ACL configuration to the outgoing interface on R1 g0/1.

GW-RTR(config)#
GW-RTR(config)#
GW-RTR(config)#int gig0/1
GW-RTR(config-if)#
GW-RTR(config-if)#
GW-RTR(config-if)#
GW-RTR(config-if)#ip access
GW-RTR(config-if)#ip access-group 100 out
GW-RTR(config-if)#
GW-RTR(config-if)#exit
GW-RTR(config)#

Verify your configuration

GW-RTR#show access-lists
Standard IP access list R2-LAN-SECURITY-POLICY
    10 permit 172.16.30.50 (17 matches)
    20 permit 172.16.40.0, wildcard bits 0.0.0.255 (135 matches)
Extended IP access list 100
    10 deny tcp 10.1.0.0 0.0.255.255 eq 22 172.16.40.0 0.0.0.255
GW-RTR#

We can be able to see all configured ACLs so far.

Test that R1 LAN do not have ssh access.

We can move on to the next policy.

Allow all web traffic from R1 LAN to access the web server at vlan 40 in R2 LAN

We shall allow web access for all R1 LAN to vlan 40 in R2 LAN
We shall configure this on Router R2 as below

GW-RTR2(config)#
GW-RTR2(config)#ip access-list extended WEB_ACCESS_POLICY
GW-RTR2(config-ext-nacl)#permit tcp 10.1.0.0 0.0.255.255 host 172.16.40.100 eq www
GW-RTR2(config-ext-nacl)#permit tcp 172.16.30.0 0.0.0.255 host 172.16.40.100
GW-RTR2(config-ext-nacl)#
GW-RTR2(config-ext-nacl)#
GW-RTR2(config-ext-nacl)#exit
GW-RTR2(config)#
GW-RTR2(config)#
GW-RTR2(config)#

Apply the configured extended ACL on int g0/1

GW-RTR(config-if)#
GW-RTR(config-if)#ip access
GW-RTR(config-if)#ip access-group WEB_ACCESS_POLICY out
GW-RTR(config-if)#
GW-RTR(config-if)#exit
GW-RTR(config)#

Verify you can access the web server at 172.16.40.100

webaccess

We have come to the end of this. We hope that you learnt how to configure basic standard and extended access control lists

bl4ckwidow

Co-Founder of Labing Overload. I am a Web Developer/Network Engineer turned CyberSecurity Engineer. FOSS enthusiast. Cisco Technologies enthusiast. Network Penetration Tester.

Leave a Reply

Your email address will not be published. Required fields are marked *