Cisco router acl Summary

The cisco router acl summary IP address access control list is an internal security feature of Cisco IOS. The following is a summary of the commonly used dynamic access control list. Pt.1 Lock-and-Key Security Lock-and-Key Overview lock-and-key dynamic ACL uses the IP address dynamic extension ACL to filter IP traffic. After the lock-and-key dynamic ACL is configured, IP traffic temporarily denied can be temporarily permitted. Lock-and-key dynamic ACL temporarily modifies the existing ACL under the router interface to allow IP traffic to reach the target device. Then, the lock-and-key dynamic ACL restores the interface status. If you use the lock-and-key dynamic ACL to obtain the permission to access the target device, you must first enable the telnet session on the vrotelnet. Then, the lock-and-key dynamic ACL automatically authenticates the user. If the authentication succeeds, the user is granted temporary access permissions. Perform the following steps to configure the dynamic ACL of Lock-and-Key using locking lock-and-key: 1. set dynamic ACL: BitsCN (config) # access-list {access-list-number} [dynamic-name [timeout minutes] {deny | permit} telnet {source-wildcard destination-wildcard} 2. extends the absolute timer of the dynamic ACL. Optional: BitsCN (config) # access-list dynamic-extend 3. define the interface for applying the ACL: BitsCN (config) # interface {interface} 4. application ACL: BitsCN (config-if) # ip access-group {ACL} 5. define VTY line: BitsCN (config) # line vty {line-number [ending-line-number]} 6. authenticate the user: BitsCN (config) # username {username} password {password} 7. use TACACS or local authentication. Optional: BitsCN (config-line) # login {tacacs | local} 8. create temporary access permission. If the parameter host is not defined, the default value is all hosts: BitsCN (config-line) # autocommand access-enable {host} [timeout minutes] Case 1 enable the telnet session to 172.16.1.2 within 5 minutes. If the authentication succeeds, the user will be given a 120-second access permission :! Interface Ethernet0 description this document is written by ****** description powered by BitsCN ip address 172.16.1.1 255.255.0 ip access-group 101 in! Access-list 101 permit tcp any host 172.16.1.2 eq telnet access-list 101 dynamic BitsCN timeout 120 permit ip any! Line vty 0 4 login tacacs autocommand access-enable timeout 5! Monitoring and Maintaining Lock-and-Key to view the ACL information: BitsCN # show access-lists Pt.2 TCP Intercepting Overview Generally, TCP connection establishment requires three handshakes: 1. create the initiator to send a tcp syn packet to the target computer. 2. after receiving the tcp syn packet, the target computer creates a TCP connection control block (TCB) in the memory, and then replies a TCP acknowledgment (ACK) packet to the sending source, waiting for the response from the sending source. 3. After the sending source receives the tcp ack packet, it uses another tcp ack packet. The TCP connection is successful. Tcp syn Flood Attack Process: 1. The attacker sends a tcp syn packet to the target device. 2. After the target device receives the tcp syn packet, it establishes a TCB and responds with a tcp ack packet, waiting for the response from the sending source. 3. The sending source does not reply a tcp ack packet to the target device. As a result, the target device remains in the waiting state. 4. If there are many TCP semi-connections, the resources (TCB) of the target device will be exhausted, and the TCP connection requests cannot be responded to normally ., This completes the tcp syn Flood Attack of the denial of service. TCP interception can prevent tcp syn flood attacks. Two TCP interception modes: 1. intercept, wait for the tcp ack packet from the client. After receiving the tcp ack packet from the client again, the original tcp syn packet is handed over to the Real Server. The software performs the TCP three-way handshake to establish a TCP connection. 2. Monitoring: the inbound TCP Connection Request (tcp syn) allows the router to be handed over to the server, but the router will monitor the connection until the TCP connection is established. If the TCP connection fails to be established within 30 seconds, the router sends a Reset signal to the server, and the server clears the TCP semi-connection. To configure TCP Intercepting, follow these steps: 1. define IP extension ACL: BitsCN (config) # access-list {access-list-number} [dynamic-name [timeout minutes] {deny | permit} tcp {source-wildcard destination-wildcard} 2. enable TCP interception: BitsCN (config) # ip tcp intercept list {ACL} 3. defines the TCP interception mode. The default mode is the interception mode. Optional: BitsCN (config) # ip tcp intercept mode {intercept | watch} 4. Define the Cut-Off mode of TCP interception. The default value is to cut off the oldest TCP connection. Optional: BitsCN (config) # ip tcp intercept drop-mode {oldest | random} 5. defines the timeout time for TCP interception monitoring. The default value is 30 seconds. Optional: BitsCN (config) # ip tcp intercept watch-timeout {seconds} 6. defines the length of time for the system to manage TCP connections even if the TCP connection is no longer active. The default time is 24 hours. Optional: BitsCN (config) # ip tcp intercept connection-timeout {seconds} Monitoring and Maintaining TCP Intercepting auxiliary commands: 1. display TCP connection information: BitsCN # show tcp intercept connections 2. display TCP interception statistics: BitsCN # show tcp intercept statistics self-reverse ACL can filter IP traffic based on the upper layer information. You can use the anti-ACL to implement one-way traffic traversal. The user-defined Anti-ACL can only be defined by the name extension ACL. Perform the following steps to configure the self-anti-ACL for using the ing Reflexive ACL: 1. define name extension ACL: BitsCN (config) # ip access-list extended {name} 2. custom anti-ACL: BitsCN (config-ext-nacl) # permit {protocol} any reflect {name} [timeout seconds] 3. nested self-anti-ACL: BitsCN (config-ext-nacl) # evaluate {name} 4. application anti-ACL: BitsCN (config-if) # ip access-group {name} {in | out} 5. the time-out period of the global custom anti-ACL. Optional: BitsCN (config) # ip reflexive-list timeout {seconds} Case 2 vrob B connection CIDR Block 192.168.0.0/24 is an internal area, 10.0.0.0/30 connected to the serial interface of vrob B and the upstream network segment are external areas. Router A and router B run the command. it is required that you allow the VPN and ICMP messages. TCP and UDP messages that can be sent to the external region are allowed. TCP and UDP information that cannot be sent to the internal region is configured as follows :! Ip access-list extended inbound permit any permit icmp any evaluate BitsCN ip access-list extended outbound permit Burundi any permit icmp any permit tcp any reflect BitsCN permit udp any reflect BitsCN! Interface Ethernet0 description this document is written by ****** description powered by BitsCN ip address 192.168.0.1 255.255.255.0 ip access-group inbound in ip access-group outbound out