• Configure R4 to permit any TCP traffic destined for R5 and sourced from the Loopback0 subnets. Ensure R4 allows returning TCP packets for those connections.
• VLAN 146 contains servers running FTP, WWW, SMTP and DNS applications.
• Configure R4 to allow access to those applications from behind R5.
• Allow DNS zone file transfers in addition to DNS access.
• Ensure you only permit active FTP responses from servers in VLAN 146.
• Permit the exchange of RIP routing updates.
• Permit IOS “traceroute” and “ping” commands to function across R4.
• Ensure that the Path MTU discovery procedure works successfully across your firewall.
• Deny all ICMP “unreachable” messages with your configuration.
• Deny all other traffic.
Configuration
R4:
no ip access-list extended INBOUND ip access-list extended INBOUND remark ==
remark == Active FTP uses TCP ports 20 and 21 remark ==
permit tcp any 155.1.146.0 0.0.0.255 range 20 21 remark ==
remark == WWW and SMTP use port numbers 80 and 25 remark ==
permit tcp any 155.1.146.0 0.0.0.255 eq 80 permit tcp any 155.1.146.0 0.0.0.255 eq 25 remark ==
remark == DNS uses UDP port 53 and TCP port 53 for zone xfers remark ==
permit udp any 155.1.146.0 0.0.0.255 eq 53 permit tcp any 155.1.146.0 0.0.0.255 eq 53 remark ==
remark == Established TCP sessions are traffic returning back remark ==
permit tcp any 150.1.0.0 0.0.255.255 established remark ==
remark == Inbound traceroute UDP probes remark ==
permit udp any any range 33434 33474 remark ==
remark == Backscatter ICMP traffic for outbound traceroute UDP probes remark ==
remark ==
remark == ICMP message used by PMTU discovery: Packet too big and DF bit set
remark ==
permit icmp any any packet-too-big remark ==
remark == Ping operation packets remark ==
permit icmp any any echo
permit icmp any any echo-reply remark ==
remark == RIP routing updates remark ==
permit udp any any eq 520 remark ==
remark == Deny and log any other packets remark ==
deny ip any any log
!
no ip access-list extended OUTBOUND ip access-list extended OUTBOUND remark ==
remark == Active FTP uses TCP ports 20 and 21 remark ==
permit tcp 155.1.146.0 0.0.0.255 range 20 21 any remark ==
remark == WWW and SMTP use port numbers 80 and 25 remark ==
permit tcp 155.1.146.0 0.0.0.255 eq 80 any permit tcp 155.1.146.0 0.0.0.255 eq 25 any remark ==
remark == DNS uses UDP por 53 and TCP port 53 for zone xfers remark ==
permit udp 155.1.146.0 0.0.0.255 eq 53 any permit tcp 155.1.146.0 0.0.0.255 eq 53 any remark ==
remark == TCP traffic from Loopback0 subnets remark ==
permit tcp 150.1.0.0 0.0.255.255 any remark ==
remark == Outbound traceroute UDP probes remark ==
permit udp any any range 33434 33474 remark ==
remark == Backscatter ICMP traffic for inbound traceroute UDP probes remark ==
permit icmp any any port-unreachable permit icmp any any time-exceeded remark ==
remark == ICMP message used by PMTU discovery: Packet too big and DF bit set
remark ==
permit icmp any any packet-too-big
remark ==
remark == Ping operation packets remark ==
permit icmp any any echo
permit icmp any any echo-reply remark ==
remark == Deny and log any other packets remark ==
deny ip any any log
!
interface Serial 0/0
ip access-group INBOUND in ip access-group OUTBOUND out
!
interface Serial 0/1
ip access-group INBOUND in ip access-group OUTBOUND out
Verification
Note
Extended ACLs allow the matching of source/destination IP addresses and
source/destination ports. In addition to that, you can match ICMP message types, DSCP values, port ranges, TCP flags, and so on. Essentially, extended ACLs permit configuration of a very flexible stateless packet filter. Due to the stateless nature of the filtering, for each “outbound” rule you need a matching “inbound”
rule, permitting the returning traffic. Thus, inbound and outbound extended access-lists usually mirror each other (e.g. port numbers swapped between source and destination IP addresses).
Extended ACLs allow limited “emulation” of stateful behavior for TCP
connections. Specifically, by using the established keyword, you permit all TCP packets that have the “ACK” bit set. This does not include the initial “SYN-only” packet, and thus permits only the packets that are part of an established session.
In order to configure an extended ACL successfully, you need to know the details of application networking logic. At the very least, this includes the TCP/UDP port numbers used by the application. You may also need to know some additional details, for example, how active FTP differs from passive FTP, or how the traceroute utility works, etc. Most of the common ports can be found using the shell prompt and typing the question mark after permit tcp any any eq. You may also learn application ports by using the commands: show ip port-map or show ip nbar port-map.
Another special feature to keep in mind is functionality of outbound access-lists.
The router’s locally generated traffic is not subject to match against the outbound access-lists, only transit traffic matches outbound lists.
Next, we are going to discuss two applications commonly used in practice. The first one is FTP. Per the design, FTP uses two TCP connections, a control connection to send commands, and a data connection to transfer files. The control connection always uses a destination port 21. The data connection may work in one of two modes: active or passive.
1) In active mode, when a client issues a command requiring data transfer, the server instructs the client to listen on an ephemeral port (above 1024) and
initiates a connection to the client sourced from port number 20. In this mode, the server connects to a client on a dynamic destination port.
2) In passive mode, when the client needs to transfer a file, the server opens a new ephemeral port (above 1024) and reports it to the client. The client then connects to the ephemeral port and the data transfer begins. In this mode, the client connects to the server on a dynamic destination port. Note that port 20 is not used in passive mode.
The next application to discuss is the traceroute utility. There are different
variants of the traceroute utilized by various operating systems. IOS uses the so-called UNIX variant. In this variant, the client sends UDP probes with increasing TTL values starting at the TTL of 1. The client sends probes to incrementing UDP ports starting at 33434 for the first hop. The destination IP address in all packets is the target IP address.
1) If the next hop is not the ultimate destination, the receiving device checks the TTL field. If the TTL field expires, the device sends an ICMP time exceeded message sourced from its own IP address. The source node learns the hop number based on the UDP port number, encapsulated as part of the payload in the ICMP response message.
2) If the hop is the ultimate destination, it sends an ICMP port unreachable message for the port range selected specifically not to match any application.
The source node learns the hop count based on the port number.
By default the traceroute utility only probes up to 30 hops, so the default UDP port range is 33434…33464.
Finally, the Path MTU Discovery (PMTUD) process relies on the ICMP message
“packet too big”, also known as “fragmentation required but DF bit set”. Note that you can permit all ICMP unreachable messages using the unreachable
keyword, or permit any ICMP message selectively.
During the creation of access-lists, use remarks extensively in real life
configurations to make management and readability of function easier. In the lab exam, first try typing access-lists in notepad, it is easier to spot mistakes that way. In the lab, it’s also a good idea to add the additionally deny ip any any log in the end of your access list to catch any unnoticed traffic you may have not permitted.
In this verification, we will configure R6 to simulate some of the services, for example, HTTP and DNS:
R6:
ip http server ip dns server
ip host TEST 150.1.6.6
Verify that you can only reach R1 from the Loopbacks of R2, R4 and R6:
Rack1R5#ping 155.1.146.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.146.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/20 ms
Rack1R5#traceroute 155.1.146.6
Type escape sequence to abort.
Tracing the route to 155.1.146.6
1 155.1.45.4 12 msec 155.1.0.4 16 msec 155.1.45.4 8 msec
2 155.1.146.6 20 msec * 16 msec
Rack1R5#telnet 155.1.146.6 80 Trying 155.1.146.6, 80 ... Open
Rack1R5#disc 1
Closing connection to 155.1.146.6 [confirm]
Rack1R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R5(config)#ip name-server 155.1.146.6 Rack1R5(config)#ip domain-lookup
Rack1R5(config)#^Z
Rack1R5#ping TEST
Translating "TEST"...domain server (155.1.146.6) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/38/40 ms
Verify that you can originate TCP connections only from a Loopback0 interface, but not from the 155.1.0.0/16 subnets. After this verification, ensure that
traceroute and ping work from behind R4.
Rack1R6#telnet 150.1.5.5 Trying 150.1.5.5 ...
% Destination unreachable; gateway or host down
Rack1R6#telnet 150.1.5.5 /source loopback 0 Trying 150.1.5.5 ... Open
User Access Verification
Password: cisco Rack1R5>
Rack1R6#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/38/40 ms
Rack1R6#traceroute 150.1.5.5
Type escape sequence to abort.
Tracing the route to 150.1.5.5
1 155.1.146.4 0 msec 4 msec 0 msec 2 155.1.0.5 16 msec * 16 msec Rack1R6#
Be sure to check your access-list match counters:
Rack1R4#sh ip access-lists Extended IP access list INBOUND
10 permit tcp any 155.1.146.0 0.0.0.255 range ftp-data ftp 20 permit tcp any 155.1.146.0 0.0.0.255 eq www (6 matches) 30 permit tcp any 155.1.146.0 0.0.0.255 eq smtp
40 permit udp any 155.1.146.0 0.0.0.255 eq domain (1 match) 50 permit tcp any 155.1.146.0 0.0.0.255 eq domain
60 permit tcp any 150.1.0.0 0.0.255.255 established (20 matches) 70 permit udp any any range 33434 33474 (6 matches)
80 permit icmp any any port-unreachable (2 matches) 90 permit icmp any any time-exceeded
100 permit icmp any any packet-too-big 110 permit icmp any any echo (10 matches) 120 permit icmp any any echo-reply (5 matches) 130 permit udp any any eq rip (8094 matches) 140 deny ip any any log
Extended IP access list OUTBOUND
10 permit tcp 155.1.146.0 0.0.0.255 range ftp-data ftp any 20 permit tcp 155.1.146.0 0.0.0.255 eq www any (3 matches) 30 permit tcp 155.1.146.0 0.0.0.255 eq smtp any
40 permit udp 155.1.146.0 0.0.0.255 eq domain any (1 match) 50 permit tcp 155.1.146.0 0.0.0.255 eq domain any
60 permit tcp 150.1.0.0 0.0.255.255 any (21 matches) 70 permit udp any any range 33434 33474 (3 matches) 80 permit icmp any any port-unreachable (2 matches) 90 permit icmp any any time-exceeded
100 permit icmp any any packet-too-big 110 permit icmp any any echo (5 matches)
120 permit icmp any any echo-reply (10 matches) 130 deny ip any any log (1 match)