You want to filter access to certain applications.
Extended IP access lists can also filter based on application information such as protocol and port numbers:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 151 permit tcp any any eq www Router1(config)#access-list 151 deny tcp any any gt 1023 Router1(config)#access-list 151 permit icmp any any Router1(config)#access-list 151 permit udp any any eq ntp Router1(config)#access-list 151 deny ip any any Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 151 in Router1(config-if)#end Router1#
This example shows how to construct an extended IP ACL to filter traffic based on applications. In Recipe 19.1, we showed how to use extended IP ACLs to match on any combination of source and/or destination IP addresses. But the extended IP ACL also allows you to match on just about anything in the IP packet header.
The first argument after the permit or deny keyword represents the IP protocol type:
Router1(config)#access-list 151 permit tcp any any eq www
In this case, we want to match a TCP-based application, so we have used the keyword tcp in this position. This field represents the IP protocol number, which is an 8-bit value. TCP is protocol number 6, UDP is 17, and ICMP uses protocol number 1. The IANA has registered 134 different protocol numbers. You can find the complete list of registered IP protocols online at http://www.iana.org/assignments/protocol-numbers. Cisco supplies helpful mnemonics for several of these protocols, such as the tcp, udp, and icmp keywords used in the example, so you don't have to remember the protocol numbers. Table 19-1Table 19-1 shows all of the IP protocols for which Cisco supplies mnemonic keywords. You can always use the protocol number in decimal form if you prefer, but the router will replace it with the mnemonic (if one exists) in its configuration file.
|
Protocol number |
Keyword |
Description |
|---|---|---|
|
1 |
icmp |
Internet Control Message Protocol |
|
2 |
igmp |
Internet Gateway Message Protocol |
|
4 |
ipinip |
IP-in-IP tunnel protocol |
|
6 |
tcp |
Transmission Control Protocol |
|
9 |
igrp |
Interior Gateway Routing Protocol |
|
17 |
udp |
User Datagram Protocol |
|
21 |
nos |
KA9Q tunnel protocol |
|
47 |
gre |
Generic Routing Encapsulation tunnel protocol |
|
50 |
esp |
IPSec Encapsulation Security Payload |
|
51 |
ahp |
IPSec Authenticating Header Protocol |
|
88 |
eigrp |
Enhanced Interior Gateway Routing Protocol |
|
89 |
ospf |
Open Shortest Path First routing protocol |
|
103 |
pim |
Protocol Independent Multicast protocol |
|
108 |
pcp |
IP Payload Compression Protocol |
As we showed in Recipe 19.1, you can match on any IP protocol number by simply using the keyword ip.
The source and destination IP addresses come after the IP protocol number or keyword. We described how to use these fields in Recipe 19.1. Remember that the address keyword any is shorthand that stands for an address of 0.0.0.0 with a wildcard pattern of 255.255.255.255.
Following each address is an optional field in which you can specify particular protocol information such as port numbers. In the following example, we match on TCP port 80, which is used by the HTTP protocol.
There are many possible mnemonic keywords for different TCP port numbers:
Router1(config)#access-list 151 permit tcp any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
Router1#
As with the IP protocol numbers listed in Table 19-1, you can substitute the decimal numerical value for any of these keywords, and the router will replace it with the keyword. For any other applications not included in this list, you must use the decimal port number.
In our example, the mnemonic for port 80 is www:
Router1(config)#access-list 151 permit tcp any any eq www
Note that the keywords eq www appear after the destination IP address, rather than the source IP address. This is because we are looking for the destination TCP port number. If you need to match on a source port number instead, you could simply move these keywords to follow the source IP address:
Router1(config)#access-list 151 permit tcp any eq www any
Of course, you can always match on both:
Router1(config)#access-list 151 permit tcp any eq www any eq www
Note, however, that this ACL will score a correct match only if both source and destination TCP port numbers match. If you wanted to match HTTP traffic between any two devices, but didn't know which device had initiated the TCP session, you would need to include two separate lines like this:
Router1(config)#access-list 151 permit tcp any any eq www Router1(config)#access-list 151 permit tcp any eq www any
The IANA reserves the TCP port numbers 1024 and above for local and temporary applications. Many TCP implementations use these high-numbered ports for source port numbers, and for temporary or ephemeral purposes. So it is relatively common to see ACLs that restrict the use of these ports. We included an example ACL rule in this recipe:
Router1(config)#access-list 151 deny tcp any any gt 1023
This command will block all packets that have a destination port number greater than 1023 (that is, ports 1024 through 65,535). Remember that TCP applications often use these high port numbers for source ports, so you need to be careful about traffic direction when you apply such an ACL.
There is a similar set of port numbers for UDP applications:
Router1(config)#access-list 151 permit udp any eq ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol (500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)
Router1#
For example, you could block all Sun RPC traffic, which includes important but chatty applications such as Network File System (NFS):
Router1(config)#access-list 151 deny udp any eq sunrpc any Router1(config)#access-list 151 deny udp any any eq sunrpc
This will block RPC traffic going in either direction because we applied the UDP port number file separately to the source and destination ports.
Like TCP, UDP port number values from 1024 through 65,535 are often used for temporary purposes such as source port numbers. You can control the use of these port numbers with a similar rule:
Router1(config)#access-list 151 deny udp any any gt 1023
You can also create an access list to look for specific types of ICMP messages in exactly the same way that we matched on TCP and UDP port numbers. The difference for ICMP message types is that each ICMP packet has only a single type field, rather than a source and destination port. You specify the type after the addresses on an Extended ACL, as follows:
Router1(config)#access-list 190 permit icmp any any echo
This ACL looks for ICMP echo request packets, such as those sent by the ping utility. This feature allows you to treat these ping packets differently than, for example, an ICMP unreachable message. In fact, this command allows you to look for any ICMP message type number between 0 and 255 either by the decimal number, or by mnemonic:
Router1(config)#access-list 190 permit icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
dscp Match packets with given dscp value
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
<cr>
Note that not all of the range of possible ICMP message types have been officially allocated. Please refer to the Internet Assigned Numbers Authority (IANA) web site for a complete listing of standard ICMP message types: http://www.iana.org/assignments/icmp-parameters.
|
|
|
| Top |