Professional Documents
Culture Documents
Access Control Lists (Beyond Standard and Extended)
Access Control Lists (Beyond Standard and Extended)
www.ine.com
Copyright www.INE.com
Agenda
Review Quiz #1
Shown below are some examples of the first few IOS
Copyright www.INE.com
Review Quiz #2
Given the following access-list and topology, which of the statements are true?
access-list 1 permit 150.75.1.0 255.255.254.254
interface FastEthernet0/0
ip access-group 1 in
B
C
D
E
Copyright www.INE.com
Review Quiz #3
21.45.0.242
88.243.0.138
178.101.0.135
Copyright www.INE.com
www.ine.com
Layer-5 information.
Must supply TCP or UDP keywords as top-level
protocol.
Only L3 options
are available.
Copyright www.INE.com
L3-L5 options
are available.
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab
Copyright www.INE.com
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab
Copyright www.INE.com
Solution #1
RouterA(config)#access-list 101 permit tcp any any ack
RouterA(config)#access-list 101 permit tcp any any rst
RouterA(config)#interface FastEthernet0/ 0
RouterA(config)#ip access-group 101 in
200.1.x.x /16
All Permitted Traffic
TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
A
Copyright www.INE.com
Fast0/0
200.1.199.1 /30
Testing Lab
Solution #2
RouterA(config)#access-list 101 permit tcp any any est ablished
RouterA(config)#interface FastEthernet0/ 0
RouterA(config)#ip access-group 101 in
200.1.x.x /16
All Permitted Traffic
TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
A
Copyright www.INE.com
Fast0/0
200.1.199.1 /30
Testing Lab
Reflexive Access-Lists
(IP Session Filtering)
www.ine.com
Fast0/0
200.1.199.1 /30
Testing Lab
Copyright www.INE.com
2
1
200.2.1.1
Corporate Intranet
Copyright www.INE.com
Fast0/0
200.1.199.1 /30
200.1.1.1/30
Testing Lab
Can be
any name.
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab
Copyright www.INE.com
Can be
any name.
Corporate Intranet
Fast0/0
200.1.199.1 /30
Testing Lab
Copyright www.INE.com
Corporate Intranet
A
Copyright www.INE.com
Fast0/0
200.1.199.1 /30
200.1.x.x /16
Testing Lab
Copyright www.INE.com
Copyright www.INE.com
www.ine.com
The Objective
Fast0/0
Corporate Intranet
Copyright www.INE.com
Solution #1
Internet
Project-X Temporary
Contractor
Fast0/0
Authentication
Server
Copyright www.INE.com
1
Copyright www.INE.com
Line vty 0 4
autocommand access-enable timeout 5
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
www.ine.com
Object Groups
<output ommitted>
ASA Firewalls
Object Groups simplify ACL management by grouping
similar objects together.
A change to an Object Group dynamically affects all ACEs referencing that group.
Copyright www.INE.com
Copyright www.INE.com
From this
200.0.0.1
200.0.0.2
x.x.x.x
Copyright www.INE.com
OK!!
10.0.0.100
OK!!
NO!!
10.0.0.101
To this
200.0.0.1
200.0.0.2
x.x.x.x
Copyright www.INE.com
OK!!
10.0.0.100
OK!!
NO!!
10.0.0.101
Time-Based Access-Lists
www.ine.com
The Objective
Internet
Fast0/0
2.2.x.x /16
Corporate Intranet
Copyright www.INE.com
Internet
Fast0/0
2.2.x.x /16
Corporate Intranet
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Access-List Logging
www.ine.com
Logging
ACE entries can be appended with Logging-related
keywords
Access-list x .log
Access-list x ..log-input
Copyright www.INE.com
Optional cookie
Copyright www.INE.com
Copyright www.INE.com
Syslog for
ACE#1
ACE#1 match #4
ACE#1 match #3
ACE#1 match #2
1-second
ACE#3 match
ACE#2 match
Initial ACE#1 match
Copyright www.INE.com
Syslog for
ACE#1
Syslog for
ACE#2
Syslog for
ACE#3
Copyright www.INE.com
Save my CPU!!!
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Q&A