May 18, 2012

Posts Comments

You are here: Home / 2008 / Archives for February 2008

Vlan Access-maps

February 22, 2008 By Leave a Comment

So I forgot to put this up yesterday.  Here it is.  I was asked to filter port 139 traffic before it got to a router.  To accomplish this I went to the switch that was connected to the router and did it on the the VLAN.  To test I went to a workstation connected to the switch and telnetted to the router port 139 and watched a separate ACL that I put on the router increment.    After applying this Vlan Access Map on the switch and repeating the test from the workstation the ACL on the router no longer incremented.


! –Start with the ACL to match the port 139 traffic.  (Yes its a permit statement)

access-list 139 permit tcp any any eq 139
!
!
!  –Next write the vlan access-map to match that ACL and drop the traffic.
!
vlan access-map NO139 10
action drop
match ip address 139
vlan access-map NO139 20
action forward
!
!  –No Apply it to the VLAN!
!
vlan filter NO139 vlan-list 37

Filed Under: CCIE Security

Super short Reflexive ACL tutorial

February 20, 2008 By Leave a Comment

Okay today its reflexive ACLs.  Old School I know but its one of the CCIE Security possibile topics so we learn it anyhow.  Here is how it works.  First we configure an ACS


Rack1R1(config)#ip access-l extend OUTBOUND
Rack1R1(config-ext-nacl)#permit tcp any any reflect STATE_TABLE
Rack1R1(config-ext-nacl)#permit udp any any reflect STATE_TABLE
Rack1R1(config-ext-nacl)#permit icmp any any reflect STATE_TABLE
Rack1R1(config-ext-nacl)#exit
Rack1R1(config)#ip access-l ext INBOUND
Rack1R1(config-ext-nacl)#evaluate STATE_TABLE
Rack1R1(config-ext-nacl)#deny ip any any log
Rack1R1(config-ext-nacl)#int s0/0.12
Rack1R1(config-subif)#ip access-g OUTBOUND out
Rack1R1(config-subif)#ip access-g INBOUND out
Rack1R1(config-subif)#ip access-g INBOUND in
Rack1R1(config-subif)#ip access-g OUTBOUND out
Rack1R1(config-subif)#do sh access-l
Extended IP access list INBOUND
    10 evaluate STATE_TABLE
    20 deny ip any any log (1 match)
Extended IP access list OUTBOUND
    10 permit tcp any any reflect STATE_TABLE
    20 permit udp any any reflect STATE_TABLE
    30 permit icmp any any reflect STATE_TABLE
Reflexive IP access list STATE_TABLE
Rack1R1(config-subif)#

Now dont forget to allow you routing protocols….look what happened to OSPF…

*Mar  1 01:01:28.449: %SEC-6-IPACCESSLOGRP: list INBOUND denied ospf 150.1.12.2 -> 224.0.0.5, 1 packet

So we have to fix it…

Rack1R1(config-subif)#ip access-l ext INBOUND
Rack1R1(config-ext-nacl)#19 permit ospf any any
Rack1R1(config-ext-nacl)#
*Mar  1 01:01:58.434: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.2.2 on Serial0/0.12 from FULL to DOWN, Neighbor Down: Dead timer expired
Rack1R1(config-ext-nacl)#
*Mar  1 01:01:58.835: %SEC-6-IPACCESSLOGRP: list INBOUND denied ospf 150.1.12.2 -> 224.0.0.5, 3 packets
Rack1R1(config-ext-nacl)#
*Mar  1 01:02:03.406: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.2.2 on Serial0/0.12 from LOADING to FULL, Loading Done
Rack1R1(config-ext-nacl)#do sh access-l
Extended IP access list INBOUND
    10 evaluate STATE_TABLE
    19 permit ospf any any (8 matches)
    20 deny ip any any log (4 matches)
Extended IP access list OUTBOUND
    10 permit tcp any any reflect STATE_TABLE
    20 permit udp any any reflect STATE_TABLE
    30 permit icmp any any reflect STATE_TABLE
Reflexive IP access list STATE_TABLE
Rack1R1(config-ext-nacl)#

Ok so now that OSPF is back up lets test it…Jump over to another router that we can generate an outbound tcp session with.  This should create the reflected ACL…

Telnet should do the trick.

Rack1R4#telnet 150.1.3.3
Trying 150.1.3.3 … Open


User Access Verification

Password:
Rack1R3>

Now lets go see the reflected acl.

Rack1R1(config-ext-nacl)#do sh access-l
Extended IP access list INBOUND
    10 evaluate STATE_TABLE
    19 permit ospf any any (12 matches)
    20 deny ip any any log (4 matches)
Extended IP access list OUTBOUND
    10 permit tcp any any reflect STATE_TABLE
    20 permit udp any any reflect STATE_TABLE
    30 permit icmp any any reflect STATE_TABLE
Reflexive IP access list STATE_TABLE
    permit tcp host 150.1.3.3 eq telnet host 150.1.14.4 eq 11000 (27 matches) (time left 290)

Perfect…thats all there is to it.

Filed Under: CCIE Security

Fun with IOS Access-lists

February 18, 2008 By Leave a Comment

Ok so tonight I was playing around with some options avaliable in ACLs.  Here is something that I find to be very cool.  You can use log options and some fancy configuration of ACL entries to see exactly what ports are being permitted or denied.  Here is what I mean.

Access-list looks like this:

Rack2R4(config-ext-nacl)#do sh access-l
Extended IP access list 100
    10 permit tcp any any log-input (43 matches)
    20 permit udp any any log-input
    30 permit ip any any (13 matches)

If you do a show log you will see the source IP, destination IP and the source MAC as well as ingress interface as seen here:

Rack2R4(config-ext-nacl)#do sh logg
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
    Console logging: level debugging, 75 messages logged, xml disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled
    Buffer logging: level debugging, 47 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 103 message lines logged

Log Buffer (4096 bytes):
(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.684: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.700: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.700: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.704: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.712: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:08.733: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.030: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.038: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.302: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.627: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.831: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet

…but with a slight modification to the list as follows:

Rack2R4(config-ext-nacl)#no 10  permit tcp any any log-input
Rack2R4(config-ext-nacl)#10 permit tcp any any range 1 65535 log
Rack2R4(config-ext-nacl)#

After generating TCP traffic you get a really cool log output like this: (notice you now have source and destination ports.)

Rack2R4(config-ext-nacl)#do sh logg
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
    Console logging: level debugging, 75 messages logged, xml disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled
    Buffer logging: level debugging, 47 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 103 message lines logged

Log Buffer (4096 bytes):
*Mar  1 01:39:56.893: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:57.097: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:57.927: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.131: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.147: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.307: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.452: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.608: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.736: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.740: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:40:00.114: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11003) -> 150.2.4.4(23), 1 packet

Pretty cool stuff huh?  Yeah- it made my night.  now what can I use this for….hmm.

Filed Under: CCIE Security