192.168.10.118 0.0.0.0
access-list 141 permit ip Allows all hosts from any network to any
0.0.0.0 255.255.255.255 network.
0.0.0.0 255.255.255.255
https://traloihay.net
Just as in our standard access list, the extended access list will require
a hyphen between the words access and list. Next is the list number.
Since we are referencing an extended IP access list, the numbers would
range from 100–199. The access list number serves the same dual purpose
here as we looked at earlier with the standard access list. The router must
have a way to distinguish between access lists. The number performs this
purpose along with tying the lines of an access list together and designates
in which access-list the filter is a part. The number also tells the router the
type of the access list.
Keywords permit or deny
The keywords permit and deny have the same meaning as for a standard
access lists.
Protocol
You have the option of filtering several different protocols using the
extended access list. The protocol field defines what protocol to filter such
as TCP, UDP, ICMP, and IP, to name a few. It is important to remember
here that an IP header is used to transport TCP and UDP; therefore, if you
choose to filter the IP protocol, you will permit or deny all the protocols
transported over IP such as an ICMP message, TCP, or UDP. If you plan to
filter a specific protocol you must specify that protocol. You must use a
systematic approach here when designing your access list.
For example, if your first line in the access list permits IP for a specific
address, and the second line denies UDP for the same address, the second
statement would have no effect. The first line would permit IP, including all
the above layers. An option here may be to reverse the order of the state-
ments. With the statements reversed, UDP would be denied from that
address and all other protocols would be permitted.
Source Address and Wildcard-Mask
The source address and wildcard-mask perform the same function here as
in a standard IP access list. So in our preceding example, we could have
used the keyword host followed by the IP address. The access list would
look as follows:
access-list 141 permit ip host 172.16.130.88 10.0.0.0 0.255.255.255access-list 141 permit ip host 172.16.130.89 10.0.0.0 0.255.255.255access-list 141 permit ip host 172.16.130.90 10.0.0.0 0.255.255.255access-list 141 permit ip 172.16.130.0 0.0.0.255 192.168.10.118 0.0.0.0access-list 141 permit ip 172.17.0.0 0.0.31.255 192.168.10.0 0.0.0.255Traffic Filtering on the Cisco IOS • Chapter 2 63In the first three lines, we are permitting or allowing packets from indi-
vidual hosts on subnet 172.16.130.0 to any host on network 10.0.0.0. In
line 4, we are permitting packets with the source address that belongs to
subnet 172.16.130.0 to the destination of host 192.168.10.118. Line 5 tells
us that we are permitting packets with a source address between 172.17.0.0
and 172.17.31.255 with a destination of network 192.168.10.0. The implicit
deny all will deny all other traffic that passes through the interface to which
we have applied the access list. Remember that standard IP access lists have
a default mask of 0.0.0.0. This does not apply to extended access lists, so we
must specify one. There are some short cuts available such as the keyword
host, as we used earlier and the keyword any. Destination Address and Wildcard Mask
The destination address and wildcard mask have the same effect and
structure as the source address and wildcard mask. So here the keywords
host, and anyare also available. You can utilize these keywords to specify
any destination address as well as a specific destination without using the
wildcard mask. Remember that extended access lists try a match on both
source and destination. A common mistake here is trying to build an
extended access list with the idea of filtering only the source address and
forget to specify the destination address. Figure 2.3 shows an example of
our network with the access list applied to interface serial 0 outbound.
Figure 2.3 The access list applied to interface serial 0 outbound.
Bạn đang xem 192. - Syngress Managing Cisco Network Security