1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

CCNA Basics

Category Archives: i. ACCESS CONTROL AND

NAT
August 24, 2012

9.1 ACCESS CONTROL LIST (ACL)

Introduction
Access control means restricting access to router i.e., who only those who have an access to the router
can forward the traffic. This access is controlled by access control list which is just a set of protocols.
Why ACL?
Reasons for need of ACL are:
1. Routers can confine problems like:
excessive broadcasts,
duplicate IP addresses,
unauthorized DHCP servers and
misbehaving Windows NT and Novell servers to a local network
1.
2.
3.
4.
5.

Sometimes, though, standard routing capabilities arent enough.

Need added filtering capabilities, such as access control lists.
Filter traffic for control of routed traffic;
Block or forward traffic based on information embedded in packets.
Dictate when to drop packets based on source or destination address or port. Through sophisticated
filtering
6. Protect against source-routing attacks, IP address spoofing, and TCP small-packet attacks.
The access control lists deny unwanted access and allow appropriate access to the network.
To control the access, we can use certain security tools or utilize some router features.
http://ccnabasics.com/category/i-access-control-and-nat/

1/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

Security tools are:

Passwords
Callback equipment
Physical security devices
Router features are:
Traffic filtering
Specific controls
Access control list is a Sequential collection of Permit and/or deny statements that apply to addresses or
upper-layer protocols. Each statement defines a pattern that would be found in an IP packet. As each
packet comes through an interface with an associated access list, the list is scanned from top to bottom.
A permit or deny rule associated with the pattern determines that packets fate can also use a mask
(wild card) to identify how much of an IP source or destination address to apply to the pattern match.
Instructions applied to a routers interface tell routers what kind of packets to accept or deny
acceptance and denial based on certain specifications such as:
Source address
Destination address
Port number
Routers manage traffic and process specific packets by grouping destination interface to an ACL.
Grouping activates an ACL on a specific interface so that any traffic through the interface is tested
against conditions contained in the ACL such as:
Source address of traffic
Destination address of traffic
Upper-layer protocol
ACL must be defined on a per protocol basis
Example: If a router interface is configured for IP, AppleTalk and IPX, we need to define at least
three (3) ACLs.
ACL is of 2 types:
1. Standard ACL: it blocks traffic considering only source IP.
2. Extended ACL: it checks source IP, destination IP and various protocols. It is further of 2 types:
Named ACL: ACL is identified by different names.
Numbered ACL: ACL is identified by unique numbers.
ACL config guidelines:
Access list statements are entered one line at a time.
http://ccnabasics.com/category/i-access-control-and-nat/

2/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

List is scanned for a match in that same order.

If you must make a change, you have to re-enter the entire list.
Once associate ACL with an interface, any packet not processed by list is dropped by default.
Must associate ACL with interface on the router where you want to apply the filtering.
ACL numbers indicate which protocol is filtered.
One ACL per interface per protocol per direction is allowed.
Order of ACL statements controls testing.
Last ACL is always an implicit deny. So every list needs at least one permit statement.
ACL must be created before applying to an interface.
ACLs filter traffic going through router. ACLs do not filter traffic originating from routers.
Apply ACL to:
incoming packets, (an in access list) or to
outgoing packets (an out access list).
OUT access lists: Set up filter only on the one outgoing interface. This improves performance because
only the network you are protecting will force a lookup on the access list.
Reasons to create ACL
Limit network traffic & increase network performance
Provide traffic flow control
Provide basic level of security for network access
Decide which types of traffic to forward/block
Important points while creating ACL:
Order of ACL statements is important. Most restrictive statements go at the top of the list.
Additional statements added at end.
ACL numbers indicate which protocol is filtered.
Cannot edit ACL in IOS (Delete entire ACL).
IOS tests ACL against each statement in the order in which statements created.
After match found, no more condition statements checked.
If first condition is PERMIT ANY ANY, no statements added later will ever be checked.
ACL command overview:
Step 1: Set parameters for ACL test statement.
Router(config)# access-list <access-list-number> {permit | deny} {test conditions}
Step 2: Enable an interface to use the specified ACL.
Router(config-if)# {protocol} access-group access-list-number {in | out}

The access-list number is used to identify the access-list. If a number between 1-99 is chosen as an

http://ccnabasics.com/category/i-access-control-and-nat/

3/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

The access-list number is used to identify the access-list. If a number between 1-99 is chosen as an
access-list-number, it is a standard access list. If a number is chosen between 100-199, it is an extended
access-list.
Standard IP lists (1-99)
Extended IP lists (100-199)
Standard IP lists (1300-1999) (expanded range)
Extended IP lists (2000-2699) (expanded range)
Standard IP ACL configuration:
Step 1:

Sets parameters for this list entry

IP standard ACLs use 1 to 99
Default wildcard mask = 0.0.0.0
no access-list access-list-number removes entire ACL
remark lets you add a description for the ACL
Step 2:

Activates the list on an interface

Sets inbound or outbound testing
Default = outbound
no ip access-group access-list-number removes ACL from
the interface
What does an ACL do?
Deny access to a host
Allow access only to HTTP on a host
Deny specific packets
Turn on ACLs
Change lists in midstream
Example:

http://ccnabasics.com/category/i-access-control-and-nat/

4/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

At a time, an interface can access either incoming traffic or outgoing traffic.

Deny access to a host:
Deny access to host of network 3. Assume 172.16.4.13 to be an IP of network 3.
Enter statements:

Permit access to a particular network:

Permit access to network 1 and assume network 1 as 172.16.0.0.
Enter statements:

Deny a specific subnet:

http://ccnabasics.com/category/i-access-control-and-nat/

5/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

turning ACL on
Enter config mode and designate the interface where you want to apply the filter.
list of access list statements is referred to as a group. ip access-group 101 in
Applies access list 101 to incoming packets on an interface
Performance issues:
Access list filters exact a toll on router performance
Some performance-enhancing features built into routers will not work if access lists used
The longer the access list, the more work the router will have to perform every time a packet has to
be processed
Working of ACLs:
ACLs check packet and upper layer headers.

Posted in i. ACCESS CONTROL AND NAT

Leave a comment
August 24, 2012

9.2 CONTROLLING TELNET ACCESS

Filtering VTY access to a router

http://ccnabasics.com/category/i-access-control-and-nat/

6/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

Five virtual terminal lines (0 through 4)

Filter addresses that can access the router vty ports
Filter vty access originating from the router
How to control VTY access

Set up an IP address filter with a standard ACL statement.

Use line configuration mode to filter access with the access-class command.
Set identical restrictions on every vty.
VTY commands
1. Enter configuration mode for a vty or vty range
Router(config)# line vty {vty# | vty-range}
2. Restrict incoming or outgoing vty connections for addresses in the ACL
Router(config-line)# access-class access-list-number {in | out}
VTY access example:
1. Permit only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty i.e., controlling
inbound access

http://ccnabasics.com/category/i-access-control-and-nat/

7/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

Where to place IP ACLs

Place extended ACLs close to the source.

Place standard ACLs close to the destination.
Posted in i. ACCESS CONTROL AND NAT
Leave a comment
August 24, 2012

9.3 EXTENDED IP ACL CONFIGURATIONS

Step 1: Set parameters for ACL list entry
Router(config)# access-list access-list-number {permit | deny} protocol source source-wildcard
[operator port] destination destination-wildcard [operator port] [established] [log]
Step 2: Activates the extended list on an interface
Router(config-if)# ip access-group access-list-number {in | out}
http://ccnabasics.com/category/i-access-control-and-nat/

8/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

EXAMPLE:

1. Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out E0. Permit all other traffic.

1. Deny only Telnet from subnet 172.16.4.0 out E0. Permit all other traffic.

USING NAMED IP ACLs

1. In named ACLs, ACL is identified by a name. Alphanumeric name string must be unique.
Router(config)# ip access-list {standard | extended} name
2. Permit or deny statements have no number. no removes the specific test from the named ACL.
Router(config {std- | ext-}nacl)# {permit | deny} {ip access list test conditions}
{permit | deny} {ip access list test conditions} no {permit | deny} {ip access list test conditions}
1. Activate the named IP ACL on an interface.
Router(config-if)# ip access-group name {in | out}
Monitoring ACL statements
Router# show {protocol} access-list {access-list number}
Router# show access-lists {access-list number}
http://ccnabasics.com/category/i-access-control-and-nat/

9/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

SUMMARY
Following the ACL configuration guidelines and commands is important to successfully
implement ACLs.
To configure standard IP ACLs on a Cisco router, you must create a standard IP ACL and apply an
ACL on an interface.
To configure extended IP ACLs on a Cisco router, you must create an extended IP access list range
and apply an ACL on an interface.
The named ACL feature allows you to identify IP standard and extended ACLs with an
alphanumeric string (name) instead of the current numeric (1 to 199 and 1300 to 2699)
representations.
For security purposes, you can deny Telnet access to or from a routers VTY ports. Restricting Telnet
access is primarily a technique for increasing network security.
ACLs are used to control traffic by filtering and eliminating unwanted packets. Proper placement of
an ACL statement can reduce unnecessary traffic.
The show command can be used to verify ACL configuration.
Posted in i. ACCESS CONTROL AND NAT
Leave a comment
August 24, 2012

9.4 NETWORK ADDRESS TRANSLATION

What is NAT?
Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a
public address to a computer or group of computers, inside a private network. The main use of NAT is
to limit the number of public IP addresses an organization or company must use, for both economy
and security purposes. In NAT an IP address is either local or global. Local IP addresses are seen in the
inside network.

http://ccnabasics.com/category/i-access-control-and-nat/

10/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

Why do we use NAT?

Similar to CIDR, the original intention of NAT was to slow the depletion of available IP address space
by allowing many private IP addresses to be represented by some smaller number of public IP
addresses. NAT is also a useful tool for network migrations and mergers, server load sharing and
creating virtual servers.
How NAT works?
Example:

Host 10.1.1.1 sends an out bound packet to the border router configured with NAT. The router
identifies the IP address as an inside local address destined for an outside network, translates the
address and documents the translation in the NAT table.
http://ccnabasics.com/category/i-access-control-and-nat/

11/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

The packet is sent to the outside interface with the new translated source address. The external host
returns the packet to the destination host and the NAT router translates the inside global IP address
back to the inside local IP address using the NAT table.
Advantages & disadvantages of NAT
ADVANTAGES

DISADVANTAGES

1. Conserves legally registered addresses.

1. Translation introduces switching path relays.

1. Reduces address overlap occurrence.

1. Loss of end-to-end IP traceability.

1. Increases flexibility when connecting to

internet.

1. Certain applications will not function with

NAT enabled.

1. Eliminates address numbering as network

changes.
Types of NAT:
1. Static NAT: this type of NAT is designed to allow one-to-one mapping between local and global
addresses. Static version requires you to have one real internet IP address for every host on your
network.
2. Dynamic NAT: this type of NAT gives you the ability to map an unregistered IP address to a
registered IP address from out of a pool of registered IP addresses.
3. Overloading: this is the most popular type of NAT configuration. Overloading is a form of dynamic
NAT that maps multiple unregistered IP addresses to a single registered IP address (many to one)
by using different ports. It is also known as PORT ADDRESS TRANSLATION. By using PAT, you
get to have thousands of users connect to the internet using only one real global IP address.

NAT names:
Some names are used to describe the addresses used with NAT.
http://ccnabasics.com/category/i-access-control-and-nat/

12/13

1/10/2015

i. ACCESS CONTROL AND NAT | CCNA Basics

Addresses used after NAT translations are called NAT global addresses. These are usually the public
addresses used on the internet but public addresses are not required if you are not using internet.
Local addresses are ones used before NAT translations. So, the inside local address is the private address
of the sending host that is trying to get to the internet. The outside local address is the address of the
destination host. It is usually a public address (web address etc.).
After translation, the inside local address is called inside global address and the outside global address
becomes the name of destination host.
Name

Meaning

Inside local

Name of inside source address before translation.

Outside local

Name of destination host before translation.

Inside global

Name of inside host after translation.

Outside global

Name of outside destination host after

translation.

Posted in i. ACCESS CONTROL AND NAT

Leave a comment
CCNA Basics
Follow

Create a free website or blog at WordPress.com. The Splendio Theme.

Follow CCNA Basics

Build a website with WordPress.com

http://ccnabasics.com/category/i-access-control-and-nat/

13/13