Overview
In the previous chapter, I talked about some of the security appliance commands to perform address translation, like global, nat, and static. This chapter will expand on the topic of controlling traffic through the appliance, discussing these topics:
-
Using access control lists (ACLs) to filter traffic through the appliance
-
Using object groups to simplify the management of ACLs
-
Filtering ICMP packets destined to an appliance
-
Troubleshooting connections using the packet tracer and packet capture features
Access Control Lists (ACLs)
Beginning with version 5.3, Cisco introduced ACLs to standardize the implementation of filters on the appliances. The term “ACLs,” even though it is an acronym, is sometimes pronounced as a word: “ackles.” Before ACLs, Cisco PIXs used conduits and outbound filters. Conduits were used to allow inbound connections, and outbound filters were used to restrict outbound connections. Conduits and filters had some major limitations in their filtering abilities. Therefore, Cisco ported their ACL technology from the IOS-based routers to the PIX platform. All three filtering features—ACLs, conduits, and outbound filters—were supported through version 6. Starting in version 7, conduits and outbound filters are no longer supported: you must use ACLs to filter traffic through your appliances.
As you will see throughout this section of the book, ACLs have many components in common with the implementation of ACLs on Cisco IOS routers. For example, you’ll have to go through two steps to set up and activate your ACLs—create the ACL and apply it to an interface. However, differences exist in the configuration and operation of ACLs on the appliances when compared with IOS routers.
Introduction to ACLs
ACLs on Cisco IOS-based routers and on the appliances are very similar in their function, processing, and configuration. Since conduits and outbound filters are no longer supported on the appliances, you must use ACLs to exempt inbound connections and to control outbound connections.
Appliance and IOS Router ACL Comparison
Cisco is attempting to move to a more uniform command-line interface across its networking products, which you can see with the ACL commands on the appliances. This section will cover both the many similarities and a few differences between ACLs on the appliances and ACLs on IOS routers.
If you’ve configured ACLs on IOS routers in the past, learning to use ACLs on the appliances will be easy. Here are some of the ACL features the two products have in common:
- A grouping of ACLs is labeled with a group identifier.
- Both standard and extended ACLs are supported (standard ACLs are new in version 7.0).
- ACLs are activated on an interface in either an inbound or outbound direction.
- The general syntax of the statements is the same.
- Each statement has a counter that keeps track of the number of matches on the statement.
- Each statement can have logging enabled, displaying a summary of the packet that matched on the statement.
- Statements are processed in a top-down order, starting with the first statement, until a match is found.
- An invisible statement, called the implicit deny statement, is at the end of the list and will drop traffic if it doesn’t match any other statement in the list.
- When adding statements to a list, statements are added at the end of the list by default.
- When editing ACLs, you can delete specific statements and insert statements into the list.
- You can have multiple remarks in your ACLs.
- ACL statements can be enabled or disabled based on the current date and time (referred to as a timed ACL entry).
- ACLs can be used for functions other than filtering, such as classifying traffic for other features like address translation, VPNs, and so on.
Table 6-1 covers some of the differences between ACLs on appliances and IOS routers.
| | | |
|---|---|---|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| Security Alert! | |
Processing of ACLs
In Chapter 5, I went through a simple example of TCP traffic flowing through the appliance in the “TCP Connection Example” section. I’ll build on this topic to give you a better understanding of what the appliance is doing to packets as they enter and leave its interfaces. Here are the steps that a packet will go through upon entering an interface:
- The appliance compares the packet information to the existing connections to the state table to determine if the packet is a new, or is part of an existing, connection. If it’s an existing connection, the packet is allowed through, and the remainder of the ACL checks listed here are bypassed.
- Assuming address translation is enabled, this step is performed. For inbound connections, the destination address is compared with the translation policies to make sure that it can be translated. For outbound connections, the destination address is compared with the translation policies to make sure that it can be translated. If there is no matching translation policy, the packet is dropped. Note that translation doesn’t actually occur at this step.
- If this is an inbound packet, the packet must match a permit ACL statement applied inbound on the incoming interface; otherwise the packet is dropped. If this is an outbound packet and no ACL exists, traffic is allowed to go from a higher to a lower security level by default; otherwise, if an ACL exists inbound on the interface, the packet must match a permit ACL statement or it is dropped.
- The appliance then does a route lookup to determine the exit interface the appliance should use. This is necessary to determine the ACLs to process and to perform address translation, if enabled.
- Assuming that address translation has been configured, the destination addressing information is untranslated with a static command or translated with the nat and global commands.
- If an ACL exists outbound on the exit interface, then this is processed.
- At this point the connection is added to the conn table and is tracked.
The appliance might perform additional steps on the packet, but I’ll discuss these in Part III of the book concerning the implementation of policies.
Creating and Activating ACLs
The configuration of ACLs on your appliance is very similar to configuring ACLs on an IOS-based router. The configuration process involves two steps: create your filtering rules with the access-list commands, and activate your filtering rules on an interface with the access-group command. The following sections cover the configuration of standard and extended ACLs, as well as some ACL features like timed ACL entries, logging matches on ACLs, and updating ACLs.
Standard ACLs
Like IOS routers, appliances support standard ACLs, which filter packets based on only an address or addresses. However, standard ACLs on appliances cannot be used to filter traffic entering or leaving an interface; instead, standard ACLs are used with other features, like split tunneling with remote access VPNs, or filtering routes when performing redistribution, and many others. Only extended and EtherType ACLs can be used on the appliances to filter traffic through the appliance interfaces.
Here is the syntax for creating a standard ACL:
{deny | permit} {any | host IP_addr |
IP_addr subnet_mask}
On the appliance, each ACL is differentiated from other ACLs by a unique identifier (ACL_ID): this can be a name, number, or mixture of characters and numbers. You must use the standard parameter; otherwise the ACL type defaults to an extended ACL. If you don’t tell the appliance what line number to use for the statement, the statement is added at the end of the existing ACL statements. Next you need to specify what should happen when there is a match on the condition: allow (permit) or drop (deny) the packet. Last, you specify the address you want to match on:
- any Any packet matches.
- host IP_addr Only that particular IP address matches.
- IP_addr subnet_mask Only the specified range of addresses matches.
Remember that you need to configure a subnet mask, not a wildcard mask, when matching on a range of addresses.
Extended ACLs
The primary use of extended ACLs is to filter traffic, but they can be used for other features on the appliances. Here is the syntax for configuring an extended ACL:
IP_protocol
{src_addr subnet_mask | host src_addr | any}
[protocol_info]
{dst_addr subnet_mask | host dst_addr | any}
[protocol_info]
[disable | default]
The first part of the ACL syntax is similar to a standard ACL. If you omit the extended parameter, the ACL defaults to an extended ACL. Unlike with a standard ACL, you must specify either the name or number of the TCP/IP protocol you want to filter, like tcp, udp, icmp, and others. If Cisco doesn’t have a name for a particular protocol, you can enter a number instead. To match on any TCP/IP packet, use a protocol name of ip. For a complete listing of IP protocol numbers, visit http://www.iana.org/assignments/protocol-numbers.
Following the IP protocol designation, you need to specify the source IP addressing information that you want to match on. The syntax for this was discussed previously in the “Standard ACLs” section. If you are filtering on TCP or UDP traffic, you can also specify the source port or ports you are interested in matching on. Following this is the destination address and, optionally, destination protocol information.
If you are filtering TCP or UDP traffic, you can specify an operator and a port number or name to be specific about the traffic that is to be filtered. You can specify an operator and the port name or number, or a range of numbers. Operators include eq (equal to), neq (not equal to), lt (less than), gt (greater than), and range. To specify a range of port numbers or names, enter the beginning and ending port numbers or names, and separate them with a hyphen with no spaces between the hyphens and the ports. If you omit the port information, the appliance assumes that you are talking about all ports for the specified protocol and address. For information about valid port numbers, visit http://www.iana.org/assignments/port-numbers.
| Tip | |
For ICMP traffic, you can specify an ICMP message type (either by name or number) following the destination address. If you omit the message information, the appliance assumes that you are talking about all ICMP messages. Remember that for ICMP traffic, the appliance is not stateful by default; in version 6 and earlier, the PIXs were never stateful for ICMP. Therefore, if you want ICMP replies to your users’ traffic and tests, and stateful processing of ICMP is disabled or unavailable, then you need to explicitly permit ICMP traffic with an ACL applied on the interface where the returning replies are received. Typically you’ll want to allow echo reply, unreachable, time exceeded, and TTL exceeded messages. For information about ICMP message types, visit http://www.iana.org/assignments/icmp-parameters.
The disable parameter allows you to disable the specified ACL statement while still keeping it in the ACL—this is handy if you want to temporarily disable a statement to allow (or deny) certain connections, but then want to re-enable the statement once the connection(s) complete. The default parameter sets the ACL statement back to its default configuration.
ACL Activation
Once you have created your ACL, you need to activate it on an interface. The following is the syntax of the access-group command that you need to use to activate your ACL:
interface logical_if_name
[per-user-override | control-plane]
The ACL_ID specifies which ACL you are activating. Before version 7.0, you could only activate an ACL inbound on an interface (in parameter). Starting in version 7.0, you can activate an ACL inbound (in— as traffic enters the interface) and/or outbound (out—before traffic leaves the interface). After the interface parameter, you need to specify the logical name of the interface where this ACL is to be activated. To remove an ACL applied to an interface, precede the access-group command with the no parameter.
The per-user-override parameter is used with downloadable ACLs (discussed in Chapter 8). The control-plane parameter is used to restrict traffic to the appliance itself: the latter is new in version 8.0.
