A way of tweaking an access-list to be more flexible,
The
reflexive access list allows to configure Cisco to allow all or some connections
that are allowed by another access list,
For
instance, allowing the return of all traffic that was originated from the LAN and
blocking all other,
Configuration
is very simple, creating 2 access lists, lets say internal and external,
Internal
will allow all desired traffic, external will allow only packets related to the
connection allowed by internal and deny all others
Will
look like this:
ip access-list extended Internal
permit ip any any
reflect TEMP
ip access-list Extended External
evaluate TEMP
and
on the external interface
ip access-group External in
ip access-group Internal
out
I also
like to see the packets that are being blocked so I add a "deny ip any any
log" on the bottom of the external ACL,
Also
make sure to allow any other traffic if needed.
Another
way is the dynamic access-list, basically you create an entry that requires
authentication in order to use,
For
example, allow connecting to an internal web or ftp server only after successfully
authenticating with the Cisco,
Like
the reflexive ACL it's very easy to configure,
Let's
say we want to allow the network 192.168.1.0/24 to browse the internet only
after authenticating to the Cisco (192.168.1.1),
We
need to make sure telnet traffic is allowed to allow the authentication.
the
ACL:
Ip access-list extended Dynamic
10 Permit tcp 192.168.1.0
0.0.0.255 host 192.168.1.1 eq telnet
20 Dynamic List_1
permit tcp 192.168.1.0 0.0.0.255 any eq www
Create
a user for the authentication :
username test password 7 071E36491F5B4A
username test autocommand access-enable host timeout 10
in
this case the users will be able to browse 10 minutes before the need to
re-authenticate.
Now
only add the ACL to an Interface and we're all done.
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
0 Comments:
Post a Comment