Thursday, May 2, 2024

Cisco Access Control List (ACL) Established

Here's a nice link regarding the access control list (ACL) established in a Cisco router. This keyword is commonly used to only allow originating TCP traffic towards the destination IP. This effectively denies TCP traffic coming from the outside or public Internet.

In order to test, I setup two routers which are directly connected and used Loopback interfaces for the destination IP address. Ping and TCP ports 80 and 443 on each router were initially allowed.

R1#show ip interface biref

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        10.1.1.1        YES manual up                    up     

FastEthernet1/0        unassigned      YES unset  administratively down down   

FastEthernet1/1        192.168.1.1     YES manual up                    up     

Loopback1              1.1.1.1         YES manual up                    up

 

 

R1#ping 2.2.2.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/92 ms

 

 

R1#telnet 2.2.2.2 80 /source-interface f0/0

Trying 2.2.2.2, 80 ... Open

 

 

R1#telnet 2.2.2.2 443 /source-interface f0/0

Trying 2.2.2.2, 443 ... Open

 

 

R2#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        200.1.1.1       YES manual up                    up     

FastEthernet1/0        unassigned      YES unset  administratively down down   

FastEthernet1/1        192.168.1.2     YES manual up                    up     

Loopback2              2.2.2.2         YES manual up                    up  

 

 

R2#ping 1.1.1.1 source 200.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 200.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/44 ms

 

 

R2#telnet 1.1.1.1 80 /source-interface f0/0

Trying 1.1.1.1, 80 ... Open

 

 

R2#telnet 1.1.1.1 443 /source-interface f0/0

Trying 1.1.1.1, 443 ... Open

 

 

Below is the ACL with the established keyword. I added log to capture ACL traffic match. R1 was able to ping and open TCP ports 80 and 443 to R2's Loopback IP address 2.2.2.2 using its LAN source IP address (10.1.1.1).

 

ip access-list extended WEB_ACL

 permit udp any 10.1.1.0 0.0.0.255 eq 53 log

 permit tcp any eq 80 10.1.1.0 0.0.0.255 established log

 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log

 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log

 

interface f1/1

 ip access-group WEB_ACL in

 

 

R1#show ip access-list                      

Extended IP access list WEB_ACL

    10 permit udp any 10.1.1.0 0.0.0.255 eq domain log

    20 permit tcp any eq www 10.1.1.0 0.0.0.255 established log

    30 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log

    40 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log

 

 

R1#ping 2.2.2.2 source 10.1.1.1           

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/60 ms

 

 

R1#telnet 2.2.2.2 80 /source-interface f0/0

Trying 2.2.2.2, 80 ... Open

 

*Feb 18 08:45:24.615: %SEC-6-IPACCESSLOGP: list WEB_ACL permitted tcp 2.2.2.2(80) -> 10.1.1.1(35657), 1 packet

 

 

R1#telnet 2.2.2.2 443 /source-interface f0/0

Trying 2.2.2.2, 443 ... Open

 

*Feb 18 08:45:47.987: %SEC-6-IPACCESSLOGP: list WEB_ACL permitted tcp 2.2.2.2(443) -> 10.1.1.1(59649), 1 packet

 

R1#show access-list

Extended IP access list WEB_ACL

    10 permit udp any 10.1.1.0 0.0.0.255 eq domain log

    20 permit tcp any eq www 10.1.1.0 0.0.0.255 established log (8 matches)

    30 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log (6 matches)

    40 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log (5 matches)

 

 

R2 is unable to ping and open TCP ports 80 and 443 to R1's Loopback IP 1.1.1.1 using it's LAN source IP address (200.1.1.1).

 

R2#ping 1.1.1.1 source 200.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 200.1.1.1

UUUUU

Success rate is 0 percent (0/5)

 

 

R2#telnet 1.1.1.1 80 /source-interface f0/0

Trying 1.1.1.1, 80 ...

% Destination unreachable; gateway or host down

 

 

R2#telnet 1.1.1.1 443 /source-interface f0/0

Trying 1.1.1.1, 443 ...

% Destination unreachable; gateway or host down