168.10.118 0.0.0.0ACCESS-LIST 141 PERMIT IP ALLOWS ALL HOSTS FROM...

Question

192.168.10.118 0.0.0.0access-list 141 permit ip Allows all hosts from any network to any0.0.0.0 255.255.255.255 network.0.0.0.0 255.255.255.255https://traloihay.netJust as in our standard access list, the extended access list will requirea hyphen between the words access and list. Next is the list number.Since we are referencing an extended IP access list, the numbers wouldrange from 100–199. The access list number serves the same dual purposehere as we looked at earlier with the standard access list. The router musthave a way to distinguish between access lists. The number performs thispurpose along with tying the lines of an access list together and designatesin which access-list the filter is a part. The number also tells the router thetype of the access list.Keywords permit or denyThe keywords permit and deny have the same meaning as for a standardaccess lists.ProtocolYou have the option of filtering several different protocols using theextended access list. The protocol field defines what protocol to filter suchas TCP, UDP, ICMP, and IP, to name a few. It is important to rememberhere that an IP header is used to transport TCP and UDP; therefore, if youchoose to filter the IP protocol, you will permit or deny all the protocolstransported over IP such as an ICMP message, TCP, or UDP. If you plan tofilter a specific protocol you must specify that protocol. You must use asystematic approach here when designing your access list. For example, if your first line in the access list permits IP for a specificaddress, and the second line denies UDP for the same address, the secondstatement would have no effect. The first line would permit IP, including allthe above layers. An option here may be to reverse the order of the state-ments. With the statements reversed, UDP would be denied from thataddress and all other protocols would be permitted. Source Address and Wildcard-MaskThe source address and wildcard-mask perform the same function here asin a standard IP access list. So in our preceding example, we could haveused the keyword host followed by the IP address. The access list wouldlook as follows:access-list 141 permit ip host 172.16.130.88 10.0.0.0 0.255.255.255access-list 141 permit ip host 172.16.130.89 10.0.0.0 0.255.255.255access-list 141 permit ip host 172.16.130.90 10.0.0.0 0.255.255.255access-list 141 permit ip 172.16.130.0 0.0.0.255 192.168.10.118 0.0.0.0access-list 141 permit ip 172.17.0.0 0.0.31.255 192.168.10.0 0.0.0.255Traffic Filtering on the Cisco IOS • Chapter 2 63In the first three lines, we are permitting or allowing packets from indi-vidual hosts on subnet 172.16.130.0 to any host on network 10.0.0.0. Inline 4, we are permitting packets with the source address that belongs tosubnet 172.16.130.0 to the destination of host 192.168.10.118. Line 5 tellsus that we are permitting packets with a source address between 172.17.0.0and 172.17.31.255 with a destination of network 192.168.10.0. The implicitdeny all will deny all other traffic that passes through the interface to whichwe have applied the access list. Remember that standard IP access lists havea default mask of 0.0.0.0. This does not apply to extended access lists, so wemust specify one. There are some short cuts available such as the keywordhost, as we used earlier and the keyword any. Destination Address and Wildcard MaskThe destination address and wildcard mask have the same effect andstructure as the source address and wildcard mask. So here the keywordshost, and anyare also available. You can utilize these keywords to specifyany destination address as well as a specific destination without using thewildcard mask. Remember that extended access lists try a match on bothsource and destination. A common mistake here is trying to build anextended access list with the idea of filtering only the source address andforget to specify the destination address. Figure 2.3 shows an example ofour network with the access list applied to interface serial 0 outbound.Figure 2.3 The access list applied to interface serial 0 outbound.

168.10.118 0.0.0.0ACCESS-LIST 141 PERMIT IP ALLOWS ALL HOSTS FROM...

192.168.10.118 0.0.0.0

access-list 141 permit ip Allows all hosts from any network to any

0.0.0.0 255.255.255.255 network.

0.0.0.0 255.255.255.255

https://traloihay.net

Just as in our standard access list, the extended access list will require

a hyphen between the words access and list. Next is the list number.

Since we are referencing an extended IP access list, the numbers would

range from 100–199. The access list number serves the same dual purpose

here as we looked at earlier with the standard access list. The router must

have a way to distinguish between access lists. The number performs this

purpose along with tying the lines of an access list together and designates

in which access-list the filter is a part. The number also tells the router the

type of the access list.

Keywords permit or deny

The keywords permit and deny have the same meaning as for a standard

access lists.

Protocol

You have the option of filtering several different protocols using the

extended access list. The protocol field defines what protocol to filter such

as TCP, UDP, ICMP, and IP, to name a few. It is important to remember

here that an IP header is used to transport TCP and UDP; therefore, if you

choose to filter the IP protocol, you will permit or deny all the protocols

transported over IP such as an ICMP message, TCP, or UDP. If you plan to

filter a specific protocol you must specify that protocol. You must use a

systematic approach here when designing your access list.

For example, if your first line in the access list permits IP for a specific

address, and the second line denies UDP for the same address, the second

statement would have no effect. The first line would permit IP, including all

the above layers. An option here may be to reverse the order of the state-

ments. With the statements reversed, UDP would be denied from that

address and all other protocols would be permitted.

Source Address and Wildcard-Mask

The source address and wildcard-mask perform the same function here as

in a standard IP access list. So in our preceding example, we could have

used the keyword host followed by the IP address. The access list would

look as follows:

In the first three lines, we are permitting or allowing packets from indi-

vidual hosts on subnet 172.16.130.0 to any host on network 10.0.0.0. In

line 4, we are permitting packets with the source address that belongs to

subnet 172.16.130.0 to the destination of host 192.168.10.118. Line 5 tells

us that we are permitting packets with a source address between 172.17.0.0

and 172.17.31.255 with a destination of network 192.168.10.0. The implicit

deny all will deny all other traffic that passes through the interface to which

we have applied the access list. Remember that standard IP access lists have

a default mask of 0.0.0.0. This does not apply to extended access lists, so we

must specify one. There are some short cuts available such as the keyword

Destination Address and Wildcard Mask

The destination address and wildcard mask have the same effect and

structure as the source address and wildcard mask. So here the keywords

are also available. You can utilize these keywords to specify

any destination address as well as a specific destination without using the

wildcard mask. Remember that extended access lists try a match on both

source and destination. A common mistake here is trying to build an

extended access list with the idea of filtering only the source address and

forget to specify the destination address. Figure 2.3 shows an example of

our network with the access list applied to interface serial 0 outbound.

Figure 2.3 The access list applied to interface serial 0 outbound.

Bạn đang xem 192. - Syngress Managing Cisco Network Security