cisco firewall access-list

最後更新: 2016-02-05

介紹

Cisco 的 ACL 一共分 3 種, 分別係

# standard access lists

L3 (1~99)

# extended access lists

L3, L4 (100~199)

# Named Access Lists

segment 及 Host 作為設定對象

 


# show

ip access-list

show access-list [N]

show ip interface [int]

ACL 的 inbound, outbound 次序

inbound ACL --> route --> outbound ACL

Router(config)#access-list 10 deny 172.16.40.0 0.0.0.255
Router(config)#access-list 10 permit any

Router(config)#int e1
Router(config-if)#ip access-group 10 out

Router(config)#access-list 110 deny tcp any host 172.16.30.5 eq 22
Router(config)#access-list 110 deny tcp any host 172.16.30.6 eq 23
Router(config)#access-list 110 permit ip any any
Router(config)#int e1
Router(config-if)#ip access-group 110 out

operator port

* lt
* gt
* eq
* neq
* range

port range:

range 100 200

Example

access-list outside_acl permit host singapore_wan_ip

access-list acl_permit permit ip 192.168.32.0 0.0.7.255

!--- This command is used to permit tcp traffic from
!--- 10.1.1.2 host machine to 172.16.1.1 host machine.

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1

!--- This command is used to permit ip traffic from
!--- 10.1.1.0 network to 172.16.1.10 network.

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

 


Extended ACL

 

syntax

access-list access_list_name extended { deny | permit } protocol_argument source_address_argument dest_address_argument

access-list access_list_name extended { deny | permit } icmp source_address_argument dest_address_argument [ icmp_argument ]

i.e.

[1]

hostname(config)# access-list ACL_IN extended permit ip any any

[2]

hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host x.x.x.x any

 

 


object-group protocol_grp_id 應用

 

# 許可某些人 ping

object-group icmp-type PingProto
 icmp-object echo
 icmp-object echo-reply

object-group network AllowPingGroup
 network-object host x.x.x.x

object-group network WebService
 network-object host y.y.y.y

access-list outside_acl remark allow_client_ping

access-list outside_acl extended permit icmp object-group AllowPingGroup object-group WebService object-group PingProto

 


ACL Example

 

#

object network admin_vm
 host 192.168.3.199

object-group network admin_ip_group
 network-object object admin_vm

#

object network esxi0
 host 192.168.2.91
object network esxi1
 host 192.168.2.92

object-group network esxi_server_group
 network-object object esxi0
 network-object object esxi1

#

object service esxi-port-443-tcp
 service tcp destination eq 443
object service esxi-port-22-tcp
 service tcp destination eq 22
 
object-group service esxi_service_group
 service-object object esxi-port-443-tcp
 service-object object esxi-port-22-tcp

# Rule

access-list outside_access_in extended permit object-group esxi_service_group object-group admin_ip_group object-group esxi_server_group log disable