Here's a nice link regarding the access control list (ACL) established in a Cisco router. This keyword is commonly used to only allow originating TCP traffic towards the destination IP. This effectively denies TCP traffic coming from the outside or public Internet.
In order to test, I setup two routers which are directly connected and used Loopback interfaces for the destination IP address. Ping and TCP ports 80 and 443 on each router were initially allowed.
R1#show ip interface biref
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 192.168.1.1 YES manual up up
Loopback1 1.1.1.1 YES manual up up
R1#ping 2.2.2.2 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/92 ms
R1#telnet 2.2.2.2 80 /source-interface f0/0
Trying 2.2.2.2, 80 ... Open
R1#telnet 2.2.2.2 443 /source-interface f0/0
Trying 2.2.2.2, 443 ... Open
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 200.1.1.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 192.168.1.2 YES manual up up
Loopback2 2.2.2.2 YES manual up up
R2#ping 1.1.1.1 source 200.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/44 ms
R2#telnet 1.1.1.1 80 /source-interface f0/0
Trying 1.1.1.1, 80 ... Open
R2#telnet 1.1.1.1 443 /source-interface f0/0
Trying 1.1.1.1, 443 ... Open
Below is the ACL with the established keyword. I added log to capture ACL traffic match. R1 was able to ping and open TCP ports 80 and 443 to R2's Loopback IP address 2.2.2.2 using its LAN source IP address (10.1.1.1).
ip access-list extended WEB_ACL
permit udp any 10.1.1.0 0.0.0.255 eq 53 log
permit tcp any eq 80 10.1.1.0 0.0.0.255 established log
permit tcp any eq 443 10.1.1.0 0.0.0.255 established log
permit icmp any 10.1.1.0 0.0.0.255 echo-reply log
interface f1/1
ip access-group WEB_ACL in
R1#show ip access-list
Extended IP access list WEB_ACL
10 permit udp any 10.1.1.0 0.0.0.255 eq domain log
20 permit tcp any eq www 10.1.1.0 0.0.0.255 established log
30 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log
40 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log
R1#ping 2.2.2.2 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/60 ms
R1#telnet 2.2.2.2 80 /source-interface f0/0
Trying 2.2.2.2, 80 ... Open
*Feb 18 08:45:24.615: %SEC-6-IPACCESSLOGP: list WEB_ACL permitted tcp 2.2.2.2(80) -> 10.1.1.1(35657), 1 packet
R1#telnet 2.2.2.2 443 /source-interface f0/0
Trying 2.2.2.2, 443 ... Open
*Feb 18 08:45:47.987: %SEC-6-IPACCESSLOGP: list WEB_ACL permitted tcp 2.2.2.2(443) -> 10.1.1.1(59649), 1 packet
R1#show access-list
Extended IP access list WEB_ACL
10 permit udp any 10.1.1.0 0.0.0.255 eq domain log
20 permit tcp any eq www 10.1.1.0 0.0.0.255 established log (8 matches)
30 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log (6 matches)
40 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log (5 matches)
R2 is unable to ping and open TCP ports 80 and 443 to R1's Loopback IP 1.1.1.1 using it's LAN source IP address (200.1.1.1).
R2#ping 1.1.1.1 source 200.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.1.1.1
UUUUU
Success rate is 0 percent (0/5)
R2#telnet 1.1.1.1 80 /source-interface f0/0
Trying 1.1.1.1, 80 ...
% Destination unreachable; gateway or host down
R2#telnet 1.1.1.1 443 /source-interface f0/0
Trying 1.1.1.1, 443 ...
% Destination unreachable; gateway or host down
No comments:
Post a Comment