Standard ACL Packet Tracer Challenge

Packet Tracer Challenge Overview

Learn the basics of using standard access lists with these Packet Tracer graded activities. In the activities, the networks have been pre-configured. All you need to do is write the access list, and decide where to apply it. Open the Packet Tracer files, follow the written instructions and the instructions on the topology diagrams.

Standard ACL Practice #1

In this Packet Tracer exercise, the goal is to create a simple standard ACL to permit one network and block the other. Follow the written instructions on where to apply the access list.

Download

The Packet Tracer file is created with Packet Tracer 5.3.3. The Packet Tracer Activity file will track your progress and give you a completion percentage and point total. You can download it here: standardACL-practice1.zip

Standard ACL Practice #2

In this exercise the goal is to permit two hosts, one from the yellow network and one from the blue network, to reach the green network. In this exercise you need to figure out where to apply the ACL so that the intended networks are effected. Hint: standard ACL are usually applied closest to the destination network effected.

 

Download

The Packet Tracer file is created with Packet Tracer 5.3.3. The Packet Tracer Activity file will track your progress and give you a completion percentage and point total. You can download the file here: standardACL-practice2.zip

Established ACLs

Configure a TCP Established ACL in Packet Tracer

In the video tutorial below I use Packet Tracer to demonstrate how a layer 3 access-list based firewall functions in a network scenario featuring a private LAN and a public DMZ. The goal is to improve security by using a layer 4 firewall that is TCP aware. You can add layer 4 firewall capability with a TCP Established ACL (Access List).

In the second tutorial, I demonstrate how a hacker could bypass a layer 2 access-list firewall by masquerading the port number. I also demonstrate how to solve this problem by using a tcp-established access list.

Two further advancements in Cisco stateful firewalls are the CBAC firewall and Zone Based Firewall. Both of these modular firewalls were great improvements over the early TCP established firewall.

Today, there are even more advanced firewalls that can detect application data at layer 7 and connect to cloud based security centers to share and respond to potential zero day threats with global analysis and response.

Named ACLs

Overview

A named access list can be either a standard or extended access list, with the only difference being that it is identified by name rather than by number. The IOS command for starting a named access list is slightly different than a numbered access list, in that the command starts with ip access-list rather than just access-list, see below:

router>enable
router#configure terminal
router(config)#ip access-list <standard | extended> <name>
router(config-std-nacl)#<permit | deny> <source host or network> <wildcard> <destination host or network> <wildcard>
router(config-ext-nacl)#<permit | deny> <protocol> <source host or network> <wildcard> <destination host or network> <wildcard> <operator> <port>

Video Tutorial

 In this tutorial, I write a named access list (extended) and apply it to the router to permit traffic to a web server on port 80

Extended Access Lists – ACL

Overview

Extended access lists offer greater flexibility than standard access list due to the fact that you can filter, not only source IP addresses, but also destination IP addresses, as well as other protocols ports and services, like TCP port 23 telnet for instance. Since you are able to declare both the source and the destination addresses, you can apply the extended ACL on the router that is closest to the source network, this allows you to immediately filter packets from the network, without allowing them to traverse the entire network before being filtered and dropped; applied in this way extended ACLs can conserve bandwidth and router resources.

Standard ACL (1-99)

Extended ACL (100-199)

applied closest to the destination applied closest to the source
Denies or Permits:
source IP address
Denies or Permits:
source IP address,
destination IP address,
port or service (optional)

Two Steps:

1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)

1. Create:

Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)

2. Apply:

Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.

IOS Commands

Extended access list command formats:
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> host <source ip address> host <destination ip address> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits>

Extended access list examples:

Deny and permit a source class c network to a destination class c network: 
router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255
192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Deny or permit a source host to a destination /24 network:
router(config)#access-list 100 deny ip 192.168.1.100 0.0.0.0 192.168.4.0 0.0.0.255
router(config)#access-list 100 deny ip host 192.168.1.100 192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip 192.168.1.101 0.0.0.0 192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip host 192.168.1.101 192.168.4.0 0.0.0.255

Deny or permit any host to any destination on port 80 (http):
router(config)#access-list 100 deny tcp any any eq 80
router(config)#access-list 100 permit tcp any any eq 80

Deny or permit all hosts: 
router(config)#access-list 100 deny any any
router(config)#access-list 100 permit any any

Apply the access list to a router interface outbound and inbound

router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 100 out

router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 100 in

Video Tutorial

If you would like to follow along in Packet Tracer, click here to download the PT starter file:

In part 1, I demonstrate how to write and apply a basic extended access list

In part 2, I demonstrate how to permit only a port (service) using an extended access list 

Standard Access Lists – ACL

Standard Access Lists Overview

Access lists are used as a form of firewall security on a router. Access lists are statements that a router will use to check traffic against, and if there is a match, the router can filter that traffic by either permitting or denying the packets based on the access list statement. Cisco routers can be configured to utilize a variety of access lists with the most basic being the standard ACL, or access list.  The standard access list number range is 1 to 99 and 2000 to 2699. The basic access lists in the Cisco CCNA curriculum are the standard access list, the extended access list and the named access list. The named access list is given a name instead of a number and is configured to be either a standard or extended access list.

Access lists are written and read line-by-line, each line in the access list is a statement or rule. At the end of the access list is an implicit “deny all” or “deny any,” meaning even though you cannot see it, there is a “deny all” at the end of the access list. This can cause a problem because many people assume that by default an access list is permissive, and that you only have to write statements that deny the traffic you want to filter, and that everything else will be permitted, but this is in fact false.

Two Steps

1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)

1. Create the ACL

Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)

2. Apply the ACL

Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.
{loadposition adposition6}

Cisco IOS CLI Commands

Standard access list command format:  access-list <1-99> <deny | permit> <source ip address> <wildcard bits>
Standard access list command format:  access-list <1-99> <deny | permit> host <source ip address>

examples:

Deny or permit a class c network: 
router(config)#access-list 1 deny 192.168.1.0 0.0.0.255
router(config)#access-list 1 permit 192.168.2.0 0.0.0.255

Deny or permit a host:
router(config)#access-list 1 deny 192.168.1.100 0.0.0.0
router(config)#access-list 1 deny host 192.168.1.100
router(config)#access-list 1 permit 192.168.1.101 0.0.0.0
router(config)#access-list 1 permit host 192.168.1.101

Deny or permit all hosts: 
router(config)#access-list 1 deny any
router(config)#access-list 1 permit any

Apply the access list to a router interface outbound and inbound

router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 1 out

router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 1 in

Video Tutorial

If you want to follow along with the tutorial click here to download the Packet Tracer start file: acl-standard1-begin.zip

In part 1, I cover the basics of writing and applying a standard ACL on a Cisco router

In part 2, I discuss how access lists are executed line-by-line and access list statements need to be written from specific to general  

In part 3, I demonstrate why standard access lists are placed closest to the destination