Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Ccna Access List

    Hochgeladen von

    ukendiran
    63 Ansichten6 Seiten
    This chapter describes how to control network access through the FWSM using access lists. You can use access lists in both routed and transparent firewall modes. To access an FWSM interface for management access, you do not also need an Access List allowing the host IP address.

    Originalbeschreibung:

    Originaltitel

    ccna access list

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    This chapter describes how to control network access through the FWSM using access lists. You can use access lists in both routed and transparent firewall modes. To access an FWSM interface for management access, you do not also need an Access List allowing the host IP address.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    63 Ansichten6 Seiten

    Ccna Access List

    Hochgeladen von

    ukendiran
    This chapter describes how to control network access through the FWSM using access lists. You can use access lists in both routed and transparent firewall modes. To access an FWSM interface for management access, you do not also need an Access List allowing the host IP address.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 6

    CH A P T E R 14

    Permitting or Denying Network Access

    This chapter describes how to control network access through the FWSM using access lists. To create an
    extended access lists or an EtherType access list, see Chapter 12, “Identifying Traffic with Access Lists.”

    Note You use access lists to control network access in both routed and transparent firewall modes. In
    transparent mode, you can use both extended access lists (for Layer 3 traffic) and EtherType access lists
    (for Layer 2 traffic).

    To access the FWSM interface for management access, you do not also need an access list allowing the
    host IP address. You only need to configure management access according to Chapter 22, “Configuring
    Management Access.”

    This chapter includes the following sections:


    • Inbound and Outbound Access List Overview, page 14-1
    • Applying an Access List to an Interface, page 14-4

    Inbound and Outbound Access List Overview


    Traffic flowing across an interface in the FWSM can be controlled in two ways. Traffic that enters the
    FWSM can be controlled by attaching an inbound access list to the source interface. Traffic that exits the
    FWSM can be controlled by attaching an outbound access list to the destination interface. To allow any
    traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM
    automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any
    interface unless you restrict it using an outbound access list, which adds restrictions to those already
    configured in the inbound access list.

    Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic
    entering the FWSM on an interface or traffic exiting the FWSM on an interface. These terms do not refer
    to the movement of traffic from a lower security interface to a higher security interface, commonly
    known as inbound, or from a higher to lower interface, commonly known as outbound.

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
    OL-16083-01 14-1
    Chapter 14 Permitting or Denying Network Access
    Inbound and Outbound Access List Overview

    You might want to use an outbound access list to simplify your access list configuration. For example,
    if you want to allow three inside networks on three different interfaces to access each other, you can
    create a simple inbound access list that allows all traffic on each inside interface (see Figure 14-1).

    Figure 14-1 Inbound Access Lists

    Web Server:
    209.165.200.225

    FWSM Outside

    Inside Eng

    ACL Inbound ACL Inbound ACL Inbound


    Permit from any to any Permit from any to any Permit from any to any

    10.1.1.0/24 10.1.2.0/24 10.1.3.0/24

    132945
    See the following commands for this example:
    hostname(config)# access-list INSIDE extended permit ip any any
    hostname(config)# access-group INSIDE in interface inside

    hostname(config)# access-list HR extended permit ip any any


    hostname(config)# access-group HR in interface hr

    hostname(config)# access-list ENG extended permit ip any any


    hostname(config)# access-group ENG in interface eng

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
    14-2 OL-16083-01
    Chapter 14 Permitting or Denying Network Access
    Inbound and Outbound Access List Overview

    Then, if you want to allow only certain hosts on the inside networks to access a web server on the outside
    network, you can create a more restrictive access list that allows only the specified hosts and apply it to
    the outbound direction of the outside interface (see Figure 14-1). See the “IP Addresses Used for Access
    Lists When You Use NAT” section on page 12-3 for information about NAT and IP addresses. The
    outbound access list prevents any other hosts from reaching the outside network.

    Figure 14-2 Outbound Access List

    Web Server:
    209.165.200.225

    FWSM Outside

    ACL Outbound
    Permit HTTP from 209.165.201.4, 209.165.201.6,
    and 209.165.201.8 to 209.165.200.225
    Deny all others

    Inside HR Eng

    ACL Inbound ACL Inbound ACL Inbound


    Permit from any to any Permit from any to any Permit from any to any

    10.1.1.14 209.165.201.4 10.1.3.34 209.165.201.8


    Static NAT Static NAT

    132944
    10.1.2.67 209.165.201.6
    Static NAT

    See the following commands for this example:


    hostname(config)# access-list INSIDE extended permit ip any any
    hostname(config)# access-group INSIDE in interface inside

    hostname(config)# access-list HR extended permit ip any any


    hostname(config)# access-group HR in interface hr

    hostname(config)# access-list ENG extended permit ip any any


    hostname(config)# access-group ENG in interface eng

    hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4


    host 209.165.200.225 eq www
    hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6
    host 209.165.200.225 eq www
    hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8
    host 209.165.200.225 eq www
    hostname(config)# access-group OUTSIDE out interface outside

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
    OL-16083-01 14-3
    Chapter 14 Permitting or Denying Network Access
    Applying an Access List to an Interface

    Applying an Access List to an Interface


    To apply an extended access list to the inbound or outbound direction of an interface, enter the following
    command:
    hostname(config)# access-group access_list_name {in | out} interface interface_name
    [per-user-override]

    You can apply one access list of each type (extended and EtherType) to both directions of the interface.
    See the “Inbound and Outbound Access List Overview” section on page 14-1 for more information about
    access list directions.
    The per-user-override keyword allows dynamic access lists that are downloaded for user authorization
    to override the access list assigned to the interface. For example, if the interface access list denies all
    traffic from 10.0.0.0, but the dynamic access list permits all traffic from 10.0.0.0, then the dynamic
    access list overrides the interface access list for that user. See the “Configuring RADIUS Authorization”
    section for more information about per-user access lists. The per-user-override keyword is only
    available for inbound access lists.
    For connectionless protocols, you need to apply the access list to the source and destination interfaces
    if you want traffic to pass in both directions. For example, you can allow BGP in an EtherType access
    list in transparent mode, and you need to apply the access list to both interfaces.
    The following example illustrates the commands required to enable access to an inside web server with
    the IP address 209.165.201.12 (this IP address is the address visible on the outside interface after NAT):
    hostname(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq www
    hostname(config)# access-group ACL_OUT in interface outside

    You also need to configure NAT for the web server.


    The following access lists allow all hosts to communicate between the inside and hr networks, but only
    specific hosts to access the outside network:
    hostname(config)# access-list ANY extended permit ip any any
    hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
    hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any

    hostname(config)# access-group ANY in interface inside


    hostname(config)# access-group ANY in interface hr
    hostname(config)# access-group OUT out interface outside

    For example, the following sample access list allows common EtherTypes originating on the inside
    interface:
    hostname(config)# access-list ETHER ethertype permit ipx
    hostname(config)# access-list ETHER ethertype permit bpdu
    hostname(config)# access-list ETHER ethertype permit mpls-unicast
    hostname(config)# access-group ETHER in interface inside

    The following access list allows some EtherTypes through the FWSM, but denies all others:
    hostname(config)# access-list ETHER ethertype permit 0x1234
    hostname(config)# access-list ETHER ethertype permit bpdu
    hostname(config)# access-list ETHER ethertype permit mpls-unicast
    hostname(config)# access-group ETHER in interface inside
    hostname(config)# access-group ETHER in interface outside

    The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces:
    hostname(config)# access-list nonIP ethertype deny 1256
    hostname(config)# access-list nonIP ethertype permit any
    hostname(config)# access-group ETHER in interface inside

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
    14-4 OL-16083-01
    Chapter 14 Permitting or Denying Network Access
    Applying an Access List to an Interface

    hostname(config)# access-group ETHER in interface outside

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
    OL-16083-01 14-5
    Chapter 14 Permitting or Denying Network Access
    Applying an Access List to an Interface

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
    14-6 OL-16083-01

    Das könnte Ihnen auch gefallen