|
|
| djmaplethorpe 2003-03-20, 11:59 am |
| Can anyone give me a better way of trying to understand access-lists? There seems to be to many veriables for me to grasp.
The rest of thbbok seems to be pretty straight forward and somewhat review, but I've never done much with acl's
TIA | |
| edmonds_robert 2003-03-20, 12:16 pm |
| Is there anything in particular you are having trouble with? Or is it the whole ACL concept?
Please refer to the following SANS article, "Easy steps to Cisco Extended Access Lists". It has a good explanation and several references.
http://www.sans.org/rr/netdevices/easy_steps.php | |
| soccer4net 2003-03-20, 12:17 pm |
| Maybe if you specified what part you didn't understand you'd get some help. You can't expect people to give you an all inclusive lecture on ACLs. | |
| djmaplethorpe 2003-03-20, 12:23 pm |
| quote:
Originally posted by soccer4net
Maybe if you specified what part you didn't understand you'd get some help. You can't expect people to give you an all inclusive lecture on ACLs.
I wasn't aware that I was asking for an "all inclusive lecture" I was merely asking for a better way to understand them, and by this I meant how to remember what comes in what order as far as the configuration. i understand the concept perfectly. I hope this doesn't constitute a Lecture. | |
| djmaplethorpe 2003-03-20, 12:24 pm |
| quote:
Originally posted by edmonds_robert
Is there anything in particular you are having trouble with? Or is it the whole ACL concept?
Please refer to the following SANS article, "Easy steps to Cisco Extended Access Lists". It has a good explanation and several references.
http://www.sans.org/rr/netdevices/easy_steps.php
Thanks for the link, very helpful | |
| soccer4net 2003-03-20, 12:36 pm |
| quote:
Originally posted by djmaplethorpe
I wasn't aware that I was asking for an "all inclusive lecture" I was merely asking for a better way to understand them, and by this I meant how to remember what comes in what order as far as the configuration. i understand the concept perfectly. I hope this doesn't constitute a Lecture.
Not a challenge buddy, I just don't like it when people don't bother doing any research and then expect people to hold their hand for them.
If you specify what your having difficulty with like this:
quote:
by this I meant how to remember what comes in what order as far as the configuration. i understand the concept perfectly
Than we know where you are and don't waste time going over what you do know.
I hope the article explained it. First you create an access-list than you apply to the appropriate interface(with the ip access-group command) Main place people tend to get confused is the in/out concept. You have to think from the router's point of view. If you want to keep traffic from going to the eth network, your blocking traffic from going out the eth port(not in to the eth network). | |
| edmonds_robert 2003-03-20, 2:04 pm |
| While we're on the subject of access lists, let me share a very cool use (for those of you that may not have seen this) for access lists. Apply them to your vty lines to 1. control who can telnet to your router and 2. to ensure that you (the network admin) can ALWAYS telnet to your router.
This is accomplished by creating two access lists. The first allows only the networks from which you want to be able to telnet from and the second allows only the net admin's computer. So let's say you want to allow the 10.0.0.0/8 network telnet access and the 192.168.0.0/24 network also. Your net admin's computer's IP address is 192.168.0.10. Your config might look a little like this.
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.0.10 255.255.255.255
line vty 0 3
access-class 1 in
line vty 4
access-class 2 in
What the second half does is it ensures that if your first three vty lines are tied up, either through legitimate or mailicious access, line 4 will always be available to the net admin. Pretty cool, eh?
There are of course a hundred more cool (in the geek sense of cool, that is) ways of using acces lists to control access, filter routing protocol updates, etc., but we'll cover them next time. | |
| soccer4net 2003-03-20, 2:29 pm |
| While were on the subject of access-lists...
Ip spoofing makes basic access-lists semi-obsolete. | |
| djmaplethorpe 2003-03-20, 3:42 pm |
| quote:
Originally posted by soccer4net
Not a challenge buddy, I just don't like it when people don't bother doing any research and then expect people to hold their hand for them.
Not a problem and didn't mean to step on toes or ruffle feathers, I sometimes don't articulate myself very well and expect people to read into it and know what I am asking. And yes, thanks, the article did help, I will read it several time to ensure its adhesion to my brain. | |
| edmonds_robert 2003-03-20, 4:41 pm |
| quote:
Originally posted by soccer4net
While were on the subject of access-lists...
Ip spoofing makes basic access-lists semi-obsolete.
True, true. But at least as far as spoofing from the outside of your network is concerned, just about every firewall on the market (commercial firewall, at least) does offer very good protection against IP spoofing. Of course, if you have someone on the inside, then you have other problems. |
|
|
|