Wednesday, September 26, 2012

Workbook Thingie: ACL and NAT...

I've been doing a few practice exams, and two areas that always make me think "Argh!" are Access Control Lists, and Network Address Translation.

It's not that I'm unfamiliar with the concepts or how they operate, rather, it's a case that I have a hard time remembering the syntax of the commands.

A large part of studying for the CCNA is becoming familiar with the command syntax in Cisco's IOS operating system, which is completely CLI text-based. As a consequence, a lot of my studies revolve around remembering the correct commands, which variables to enter, and how to enter them, among other things.

I have found however, an awesome website, which is full of tutorials and scenarios, and it is with their help that I'm studying ACLs now.

Now, NAT depends on an understanding of ACLs, so I'm going to study both at the same time.

1: Create a Standard ACL

Now access lists come in two flavours: Standard, and Extended. Standard ACLS are nice and simple. They block traffic based on its source address, and so should be placed closest to the destination of the traffic as possible. Why? I don't know.

Well, I went and checked. The reason you place standard ACLs closest to the destination of the traffic, is because they block ALL traffic from an address, they might block traffic that you don't necessarily want blocking, from your network.

Here's the topology that I'm working with, and I'm going to configure a standard access control list on router 1, with the intention of blocking traffic from the right PC to the left PC.(I'm going to call the left PC PC1 and the right PC PC2 just to make it easy on myself.
A quick test beforehand to show that I can successfully ping (tests for two-way data travel between hosts) from one PC to the other (meaning that the network is working properly), and we're ready to begin.

Router1(config)#access-list 10 deny host
Router1(config)#access-list 10 permit any

So what we've done here is created an access control list, ACL number 10. 
The purpose of ACL 10 is to deny all traffic coming from, that is, the right hand PC. 
However, a quick test of the network shows that I can still ping from PC1 to PC2, and back again.

Yep, we need to apply the access list to a specific interface.

Router1(config-int)#IP Access-Class 10 out

This applies the access list to the interface, in an outbound direction. Lo and behold, we can no longer ping from the right PC to the left, because router 1 now discards all packets destined for the left PC.

Now that's all done with, it's time to clear the standard ACL off the router, because we're going to create an Extended ACL.

2: Create an Extended ACL

Now it's time to get on with something a little more in depth. Extended ACLs are more versatile than standard ACLs, as they can block specific types of traffic. Want to prevent telnet traffic while allowing web and email traffic through? No problem, you can do that with an extended ACL.

As you can imagine, because extended ACLs are more in depth, the syntax for them is correspondingly more complex. 

The command we're going to use now is:

Router1(config-int)#access-list 150 deny tcp any host eq telnet

To break it down:

  • Access list number 150 (therefore extended). 
  • Deny - do not allow this traffic. 
  • TCP - do not allow this protocol. 
  • Any host: from any host. 
  • - to this host. 
  • Eq Telnet - if it is telnet traffic.
I think you can also block specific port numbers too. I'll check that out in a second.

Because we want to continue to allow IP traffic through, we need to add:

Router1(config)#access-list 150 permit ip any any.

Access control lists have what is called an "implicit deny". That is, unless traffic is specifically allowed, the ACL blocks any and all traffic.

Apply the access list to the interface as before (IP access-class 150 out) and lo and behold, while we can still ping from the right pc to the left pc, we cannot telnet from the right to the left. Not only that, but we can't telnet to the left pc from router 2 either. 

A quick check of router 1 to see if the access control list is working, and...

We're looking at the bit that says "24 matches". This means that 24 telnet packets were blocked from passing to  PC1. Way to go :-).

Now, let's learn about named Access Control Lists.

3: Create a Named ACL

Numbered access control lists are cool, but they have a major drawback, which is that you cannot edit specific lines in the ACL. The only way to do this is to copy the entire ACL into notepad, edit it there, remove the original ACL from the router, and paste the edited version in as a brand new ACL.

With named ACLs, each entry has its own little reference number, indicating its place in the stack of ACL entries. By switching entries around, you can make the ACL behave in very different ways, making the whole thing much more versatile. And all without having to delete and re-create the ACL!

Author's Note: I've come across a problem in Packet Tracer, and the simulated router will not accept the commands that the tutorial is asking me to make. I'm going to fire up my lab and see if my 2620 will let me create a named ACL.
Update: Just fired up my lab, and the router happily accepts the ACL as defined in the tutorial. Could be a problem with Packet Tracer, as even the simulated 2620xm won't accept the commands.

So there we go.

Next up, Wildcard Masks...

No comments: