Re: Best Practice Configure Cisco Access List

perman6974 · ‎02-14-2018

I have configure Cisco access list (ACL) in Cisco router to permit access from subnet 10.203.128.0/24 to subnet 10.203.129.0/24 but only to host 10.203.129.254 not whole host of subnet. The configuration of my router like below

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 10 native

ip address 10.203.128.41 255.255.255.0

!

interface FastEthernet0/0.3

encapsulation dot1Q 12

ip address 10.203.129.1 255.255.255.0

ip access-group Block_Access_Net129 out

ip helper-address 10.203.128.45

!

ip access-list extended Block_Access_Net129

permit ip 10.203.128.0 0.0.0.255 host 10.203.129.254

Result seem ok, that I can only ping to 10.203.129.254 from host in subnet 10.203.128.0/24 but the problem is from host in subnet 10.203.129.0/24 I can not ping or access to any host in subnet 10.203.128.0/24, is any idea to correction this configuration? Please see network diagram attached for detail information.

Regards,

Perman

Giuseppe Larosa · ‎02-14-2018

Hello Perman,

you need to take in account that there is an implicit deny any any at the end of each ACL

You should rewrite the ACL if you want to get different behaviour

You have now:

>>

ip access-list extended Block_Access_Net129

permit ip 10.203.128.0 0.0.0.255 host 10.203.129.254

You should rewrite it in the following manner:

ip access-list extended Block_Access_Net129

permit icmp 10.203.128.0 0.0.0.255 host 10.203.129.254 echo-request

deny icmp 10.203.128.0 0.0.0.255 10.203.129.0 0.0.0.255 echo-request

permit ip any any

Another note is the following:

it is usually better to write ACL that are applied in the inbound direction. This is the typical case with multilayer switch. And also for security reasons. One of the possible L3 attacks called spoofing uses unexpected source addresses.

On a client Vlan in your case represented by a dot1q subinterface legitimate traffic has source IP address that belongs to the IP subnet configured on the L3 device.

So the best practice would be to apply a modified ACL inbound direction in on each subinterface.

The following ACL could be applied

ip access-list extended Net128_INBOUND

permit icmp 10.203.128.0 0.0.0.255 host 10.203.129.254 echo-request

deny icmp 10.203.128.0 0.0.0.255 10.203.129.0 0.0.0.255 echo-request

permit ip 10.203.128.0 0.0.0.255 any

permit udp host 0.0.0.0 host 255.255.255.255

int fas0/0.1

ip access-group Net128_INBOUND in

to be complete the antispoofing should allow for traffic of DHCP requests this is the meaning of the 4th line of the proposed ACL.

Hope to help

Giuseppe

perman6974 · ‎02-14-2018

Hi Giuseppe,

When I try to create ACL for icmp echo-request parameter, its parameter command not available in my router only echo and echo-reply as shown below

RTR-JOB-PTJM-JKT(config-ext-nacl)#permit icmp 10.203.128.0 0.0.0.255 host 10.203.129.254 ec?

echo echo-reply

My IOS version as follow

RTR-JOB-PTJM-JKT#show ver

Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(3j), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 13-Dec-07 21:44 by stshen

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

RTR-JOB-PTJM-JKT uptime is 29 weeks, 4 days, 21 hours, 51 minutes

System returned to ROM by power-on

System image file is "flash:c2800nm-spservicesk9-mz.124-3j.bin"

Is echo-reply same with echo-request? Thank in advance for your assistance.

Giuseppe Larosa · ‎02-15-2018

Hello Perman,

I apologize it was my error in IOS you need to use echo and this stands for the the echo-request that is the packet sent by the sender to the destination.

The ICMP echo-reply is the answer sent back from the destination to the sender of the echo-request.

This is the way how ICMP ping test works.

I didn't check the commands on a real router.

In the ACL you should use the echo keyword as equivalent of echo-request and echo-reply is different as explained above.

Hope to help

Giuseppe

perman6974 · ‎02-25-2018

Hello

So my access-list configuration will be like below correct?

ip access-list extended Net128_Inbound
permit icmp 10.203.128.0 0.0.0.255 host 10.203.129.254 echo
deny icmp 10.203.128.0 0.0.0.255 10.203.129.0 0.0.0.255 echo
permit ip 10.203.128.0 0.0.0.255 any
permit udp host 0.0.0.0 host 255.255.255.0

Then I need apply it to interface FastEthernet0/0.1 for inbound

int fas0/0.1
ip access-group Net128_INBOUND in

Please your advice before I execute this maater thank in advance for your attention.

Regards,

Perman